According to experts in the security industry, to shutdown a network or server is not a security measure because it does not allow users to access resources on a server. Non-availability of a network violates the confidentiality, integrity, and availability triad. On the other side, a server facing the internet – in spite of a DMZ or three firewalls – is still susceptible to malware because of frameworks like Metasploit which allows developers to customize payloads to evade firewalls and anti-virus software.
Since the emergence of internet, we have heard of how hackers deployed Melissa virus, worms and trojans to steal user’s information, cause computers to behave abnormally, and cause anti-virus to stop working effectively. Moreover we have heard of how attackers took advantage of default settings to access and modify users’ permissions. Incompetence is the culprit.
Fortunately for us, security researchers have come up with diverse patches and security measures to cover up vulnerabilities. WPA2 with AES is preferred to other wireless security protocols like WEP and WPA with TKIP (Temporal Key Integrity Protocol). It is a network security technology commonly used on Wi-Fi wireless networks. However, upgrading WPA with AES is also not a bad idea. In the absence of WPA and WPA2, attackers compromised Wireless Encryption Protocol (WEP) via related-IV attacks.
Initialization vector allows one to create different type of keys to encrypt and decrypt data. The IV provides randomization of keys to ensure that the same keys are not used. Although IV allows one to create different keys, WEP uses a relatively small IV which eventually allows the keys to be reused over and over again. This vulnerability allows hackers or attackers to use keys – reused over and over again- to read data. Their mission to decrypt eavesdropping proved futile. In spite of numerous wireless security protocols, eavesdropping occurs frequently. WPA and WPA2 can’t secure communication because of human incompetence.
Let’s shift our attention to web and database application. It seems most web developers do not focus on clean codes when developing or writing source code for a web application. Because of this, attackers take advantage of coding errors to execute Cross-Site Request Forgery, Cross-Site Scripting, and SQL Injection. Moreover, vendors always pitch WAF’s as powerful bulwarks to ward off unauthorised access or intrusion. Although some WAF’s can withstand custom-crafted packets or scripts, naive security engineers can compromise powerful WAF’s.
Let’s assume Ingram and Fletcher hired a security engineer from a cybersecurity firm to configure a newly purchased WAF. The security engineer from that cybersecurity firm should know how to configure it effectively. Typically, humans are prone to mistakes. The security engineer might configure it effectively and furthermore install plugins to deal with other patches. That’s the job of a security engineer. Like other security professionals, the security engineer may unknowingly ignore one particular default setting. Because of this, hackers can exploit this particular default setting to introduce zero-day attack or directly shut down or compromise WAF’s abilities. We can attribute this to forgetfulness.
Cybersecurity Awareness Training
In today’s corporate environment, employers occasionally hire infosec executives to train in-house employees on how to practically apply security measures to counter unauthorised intrusion. Cybersecurity experts claim training and educating employees can increase the importance of cybercrime. Typically the main motive of cybersecurity training is to allow in-house employees to practically understand how hackers access networks or hosts using specific utilities or exploitation agents like empire.
Eventually employees commit basic mistakes allowing social engineering to take place. There are also quite a number of system administrators who cannot effectively configure router or firewall to deny suspicious packets. A powerful router in the hands of a novice is a ‘dumb’ device. Most hackers take advantage of our ignorance to initiate attacks. Human incompetence is one major worry disturbing security professionals’; not complex tools used by hackers. Can we work around our incompetence to stabilize the hike of cybercrime in the industry? Can we, indeed, come up with a solution to minimize or cure human vulnerability? The worst vulnerability seems to be incurable.