At times I laugh when I see companies, banks, educational institutions laying so much emphasis on the deployment of firewalls, anti-virus, server room protection e.t.c.
Yes firewalls, anti-virus are good but without a comprehensive information security program in place all these security technology tools will only provide a false sense of security. When we start thinking about information security, we need to think about security as a system not a single technology.
Let Us take a Hypothetical Scenario
A company has over 5 million clients. It has an e-business website. It has deployed firewalls, anti-virus solutions and other vendor security solutions. It conducts 90% of its business through its e-business website.
A Hacker studied the situation and asked; how do i get at this company?
What is the weakest link in the companies information security model? Why the weakest link? The hacker knew that going through the firewall, the intrusion detector systems would take him time which he was not willingly to spare. The hacker found out through painstaking research and study that the over
5 million customers were the weakest link.
The attack followed;
- A fake website of the company was created.
- E-mails were sent to the company’s over 5 million customers.
The E-mail read.
Dear customer,
We have deployed new security solutions that will help increase the security of conducting business with us through our website. Please kindly enter your contact and billing details, by clicking on this link. www.wilbroser.com/details.html.
Thanks for your cooperation.
Yours faithfully,
Alex Brown
Head of IT
Result of the E-mail
Out of the 5 million customers, 3 million of them clicked the link and reentered their contact and billing details.
The remaining 2 million felt indifferent and didn’t respond to the mail. The credit card information of over 3 million customers was stolen.
Why did the Hacker Target the 5 Million Customers of the Company?
The hacker found out that to commit e-fraud, it will take more effort and time going through the firewall, anti-virus and the other security solutions of the company.
The thought of the weakest link came. The company has never embarked on a security awareness training program for customers. A lot of emphasis has been on staff and security solutions.
The hacker identified the customers as the weakest link. Having identified the weakest link , the attack was launched.
Why Was the Attack Successful?
1. The over 5 million customers. None could tell the difference between a fake copy of the company’s website and the company’s website.
2