Within the security world, particularly information security, there is a prevailing attempt to “shoot the messenger” so to speak, or at least to think that if only someone could build a better messenger, maybe the message would be better.
Let me explain. When the personal information of hundreds of thousands of individuals is compromised at companies such as ChoicePoint, LexisNexis or the DSW Shoe Warehouse, many people leap to the conclusion that lax computer or network security is to blame or that someone should develop a new technology or application that protects the data better.
At the heart of many “technical” attacks are poorly designed security practices or simple human error. In some cases, an attacker may gain access to a corporate database through the Internet, but that does not necessarily mean that the database or the Internet are to blame. They are just a medium or a tool. If the database was configured more securely or the network architecture built so that the database server was not reachable from the public Internet, there would not be a problem.
A recent trend for attackers gathering information they can use to breach potential targets is to use Google. Dubbed “Google hacking”, some are quick to blame the search engine technologies. If only the search engine didn’t catalog and index that data, or if only their search engine algorithm could somehow filter out the sensitive information. But, the true issue in most cases is that poor security practices or human error led to confidential or sensitive information being available on the Web where it shouldn’t be. The fault is with the company for leaving the data exposed, not with Google for indexing it.
It seems like there is always finger-pointing at technology as the crux of various security problems. On the other side of the coin are those who look to technology as the ultimate protector and savior of security and constantly strive to create a tool that will block, detect, filter or otherwise eradicate all of these concerns. But, unless we evolve to some futuristic world like you find in the Terminator or Matrix movies, none of those solutions can fix the single weakest link in the security chain, human beings.
It is certainly possible to create technology bandaids that try to protect us from ourselves, but as long as people are willing to share sensitive, personal information with strangers just because there may be a chance they could win theater tickets, the general state of security will continue pretty much as it is. A little education and an ounce of common sense will go much farther than snappiest of new whiz-bang security technologies could ever dream of.