How secure is the IT security when we have humans involved? {essay}

Introduction

During the last year we have heard that there has been multiple security breaches to Google; this is one of the top companies on the web relying on his high level infrastructure as well as his best practices to protect privacy and secure its content. But its not that the amount of investment in appliances that matter but more on the importance and reliability that humans provide to any of the information that as users handle.

This high level company as usual is one that is attacked on many levels or components, but on occasions they just forget about the human factor from the equation that can provide a massive problem[1]. 


To report or not?

Many of the companies that had a security breach are faced with a tough decision on how to comply with security matters, but then again they face the challenge on what, when or how to divulge it, while they need to understand those consequences [7]. On 2003, the state of California was the first to enact a Security Breach notice law, where its main reason was to provide the affected user as much advance notice possible for them to protect themselves, but not removing the company of its duties to resolve any security concern.

Previous to 2003 [6], any company that had a security breach was not required to declare that it had one, this mainly on the concern of its stock price or value of integrity. For a second, lets imagine if a company like Symantec or Mcafee, whom are security enforcers were to be breached; this would make their identity value decline immensely, making the end user less prone to trust them with their sensitive data; as well as the company itself to force themselves into doubling its efforts to rise again. This can be a sign that it might be a best way to release that breach might become a good idea after all for the public as well as the company [7].

The Human Interaction

As humans continue to rely more on the information systems we thrive to rely more on our technology mediums to concentrate our information. We have disapproved ourselves of remembering information, using proper channels for communications or allocating the correct space for securing the exchange of knowledge; in which we use the technology. By any means this is to say that is improper or wrong, but its more to understand that if we have this, we need to be very secure and understand the impact that this has.

Reviewing the particular case where a Google employee was intruding and invading different Google accounts of teenagers[1], we can see that it really does not matter how effective our application is on the layer of Information Technology if we disregard the human aspect. For obvious reasons what happened next to the employee is understandable [4]. It is required that we see the human interaction from any security equation as something needed since the technology part continues to grow with our actions; and for this reasons any profile that pertains access to any data should be consider as a sensitive subject and be as well as the data and the infrastructure, be audited, reviewed and investigated if there is a hint of a misconduct [3].

One of the most improper usages of technologies is the abuse password. As we continue with Google, well can validate that they have suffered this year as many others where the bigger that the company gets, the more targeted they are as well as the prize for any attacker is higher. Recently it was reported that millions of Google usernames and passwords were hacked [2]. Although this security breach was in part disregarded by the Security team of Google, its good to note what they achieved as well as the main reason we need to review it a bit more in depth.

Most people tend to use the same password on multiple services meaning GMail, Flickr, Facebook, or others; this would mean that if any of this services could get compromised, the attacker would gain access to any of its site, gaining its confidential records and be able to misuse this information for any purpose.
The breach while it was not at Google's servers directly, it was targeted to accounts that use Google as primary email service; which by now it has become one of the largest free email providers. This vulnerability while not active provoke Google to engage on a direct communication to end users, helping them on becoming more self aware of the problem that relies not on the technology but on the human interaction.

Conclusion

While the security and its processes continue to evolve we need to always consider that the human factor is as important as the layers of technology that we put in place. It will always matter that we educate the users of technology to be the best defense that the software can have.
Understanding that the human interaction is needed for auditing, control and revision of policies and procedures will incur that manual intervention is needed and as the same technology should be controlled, audited and reviewed.

After all the attacks that many of the top IT companies receive, is always good to know that the end user still has some sort of control and push towards those companies to continue thriving to protect our identities. Since our identity continues to be thrown to the online world, we need a more secure online identification which can only be conceived and performed with the two parties totally involved: the application (company) and us. 
If this can be accomplished and for our case Google continues to monitor the servers for any breach, we can rest secure that although our information can be mainly secure; understanding that the last layer of security will always be us.

References

  1. GCreep: Google Engineer Stalked Teens, Spied on Chats (Updated). (n.d.). Retrieved from http://gawker.com/5637234/gcreep-google-engineer-stalked-teens-spied-on-chats
  2. 5 Million Gmail Usernames, Passwords Hacked And Posted To Russian Bitcoin Forum: Report. (n.d.). Retrieved from http://www.ibtimes.com/5-million-gmail-usernames-passwords-hacked-posted-russian-bitcoin-forum-report-1684368
  3. Google Confirms That It Fired Engineer For Breaking Internal Privacy Policies | TechCrunch. (n.d.). Retrieved from http://techcrunch.com/2010/09/14/google-engineer-spying-fired/
  4. Google faces email security breach as engineer improperly accesses accounts. (n.d.). Retrieved from http://www.policypatrol.com/google-faces-email-security-breach-as-engineer-improperly-accesses-accounts/
  5. Google Says Not To Worry About 5 Million 'Gmail Passwords' Leaked - Forbes. (n.d.). Retrieved from http://www.forbes.com/sites/kashmirhill/2014/09/11/google-says-not-to-worry-about-5-million-gmail-passwords-leaked/
  6. Security Breach Notification Laws. (n.d.). Retrieved from http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
  7. Schneier on Security: Schneier: Full Disclosure of Security Vulnerabilities a 'Damned Good Idea'. (n.d.). Retrieved from https://www.schneier.com/essays/archives/2007/01/schneierfulldisclo.html
Written on November 17, 2014