RSA 2009: Hackers targeting human/machine interface

Hackers are increasingly preying on human gullibility

Better security technology means that hackers are focusing more on the point where humans meet machines in their efforts to penetrate systems.

In his keynote to the RSA 2009 conference, Brian Truskowski, general manager of IBM's Internet Security Systems (ISS) business, told delegates that despite all the improvements in security technology the human element was still the key weakness in any system.

“We need to admit humans will always fall for a good hoax, then we need to accept it and move on,” he said.

“Humans are an infinite threat to security. This is why security has moved to the machine/human interaction point, chiefly the browser and the application.”

He gave the example of Kevin Mitnick, one of the most famous hackers of all time. Mitnick himself admitted that his success was down less to his computer knowledge and more to an ability to fool people with social engineering.

Truskowski said that for security to be effective it needed to be built into the enterprise from the ground up and be responsive. Too many vendors focused just on blocking one attack vector when a more flexible approach was needed.

The situation was similar to the Titanic, he said. The ship builders focused on strength, speed and luxury and ignored maneuverability, which proved fatal for many of the passengers.

“Too many chief executives see the iceberg coming but can't do anything about it,” Truskowski said.

Companies should focus on building flexible network security and consider offloading part of the business to managed security vendors, he continued, as there are simply not enough good security personnel available for IT departments to hire.