January 11, 2010, 6:19 PM — I was recently reminded while troubleshooting a friend's small business network of where most computer systems' real security weaknesses lie. Where do you think it is? The desktop operating system, which was Windows XP SP3? The server operating systems, which were Windows Server 2003 SP2 and Novell's SLES (SUSE Linux Enterprise Server) 11 SP1? Or, the Sonicwall TZ 210 firewall appliance?
The answer was, of course, none of the above. The weakest spot on your network is never your operating systems, your hardware, your applications, your security software or any of the rest of the technical side. The weakest link is always you and your people.
Whether it's something as simple as that old stand-by of users putting a password on a yellow sticky note on their monitor or someone tricking their way into your office with a fake ID, your real security problem is the people sitting between their keyboards and their displays.
Security software like anti-virus programs and firewalls do help stop attacks coming from over the Internet, but if you have only one person who's willing to click on a malware-bearing fake Hallmark e-card, you still have a problem.
The answer to this problem is education. You need to remind your users -- and yourself while you're at it -- that on the Internet everyone really is out to get you and you always have to your guard up. After all, just because you're paranoid doesn't mean that they're not out to get you.
This is boring I know. You'll find it boring; your users will certainly find it boring. But, it's the only way to make your network safer. It won't be perfectly safe mind you. There is no such thing as perfect security. But, it will help.
In my friend's case, I tracked down his problem to an employee who had brought a laptop from home into work and he had managed to give his laptop a case of Net-Worm.Win32.Kido.ih. When he booted up his system at the office, the virus got loose on their LAN and started fouling up their Windows 2003 servers, which is when I got called in.
OK, so there were several problems here, not the least of which was that they hadn't been doing a good job of keeping their Windows machines updated since the Windows security hole that lets Kido do its stuff, MS08-067 has been patched for over a year. Still, the bottom line is that they never would have ended up in any trouble if 1) the end-user hadn't had an infected laptop and 2) the IT staff let him hook his PC right up to the corporate network. Another day, another technical problem that was also largely a people problem.