ss_blog_claim=a290fbfb2dabf576491bbfbeda3c15bc

Tuesday, February 20, 2007

About security

The fact that it is actually quite easy to find dangerous information using just a search engine and some intelligent guesses is not exactly news to people who think about security professionally.
But I'm afraid that there are many uneducated folks putting content onto Web servers that they think is hidden to the world, when it is in reality anything but.

We have two seemingly opposite problems at work here: simplicity and complexity. On the one hand, it has become very easy for non-technical users to post content onto Web servers, sometimes without realizing that they're in fact placing that content on a Web server.
It has even become easier to Web-enable databases, which has led in one case to the exposure of a database containing the records of a medical college's patients.

Even when people do understand that their content is about to go onto the Web, many do not fully think through what they're about to post. They don't examine that content in light of a few simple questions: How could this information be used against me? Or my organisation? And should this even go on the Web in the first place?

Well, of course ordinary users don't think to ask these questions!
They're just interested in getting their content out there, and most of the time are just pleased as punch that they could publish on the Web in the first place. Critically examining that content for security vulnerabilities is not something they've been trained to do.

And really, that's what it comes down to: we have to get folks thinking.
Sure, those of us responsible for security can try to shut everything down and turn everything off that could pose a threat - and we should, within reason.
But those pesky users are going to do their job: use the systems we provide them, and some we don't provide. We need to help them understand the threats that any Web-enabled technology can provide.

No comments:

 
ss_blog_claim=a290fbfb2dabf576491bbfbeda3c15bc