More on this book
Community
Kindle Notes & Highlights
Because the human factor is truly security's weakest link. Security is too often merely an illusion, an illusion sometimes made even worse when gullibility, naïveté, or ignorance come into play.
“Security is not a product, it's a process.” Moreover, security is not a technology problem—it's a people and management problem.
Cracking the human firewall is often easy, requires no investment beyond the cost of a phone call, and involves minimal risk.
Those who fail to plan for a security incident are planning for failure.
While amateur computer intruders simply go for quantity, the professionals target information of quality and value.
Most people go on the assumption that they will not be deceived by others, based upon a
belief that the probability of being deceived is very low; the attacker, understanding this common belief, makes his request sound so reasonable that it raises no suspicion, all the while exploiting the victim's trust.
We've come to accept the need for defensive driving; it's time to accept and learn the practice of defensive computing.
The challenge is to achieve a balance between security and productivity.
We would live a difficult life if we had to be always on our guard, mistrustful of others, concerned that we might become the dupe of someone trying to take advantage of us. In
A personal question is like a land mine—some people step right over it and never notice; for other people, it blows up and sends them scurrying for safety. So if I ask a personal question and she answers the question and the tone of her voice doesn't change, that means she probably isn't skeptical about the nature of the request.
One more thing a good PI knows: Never end the conversation after getting the key information. Another
gaining access to information that a company employee treats as innocuous, when it isn't.
He knew the common tactic of burying the key questions among innocent ones.
A well-thought-out information security policy, combined with proper education and training, will dramatically increase employee awareness about the proper handling of corporate business information. A data classification policy will help you to implement proper controls with respect to disclosing information. Without a data classification policy, all internal information must be considered confidential, unless otherwise specified.
Security training needs to emphasize: When in doubt, verify, verify, verify.
