Most attacks on our information system are not attempts to break down our firewalls or to crack encryption or complex passwords. The attacker being welcomed in and treated as a trusted member of the team accomplishes most attacks.
There is a good reason that personal identifying information is such a high value target – stolen identity information provides access to information and physical assets.
Our information systems are not inherently trustworthy and should not be trusted. Trust should play no role in information system operations. Trust is the absence of vigilance! We cannot afford to ever let down our vigilance when it comes to information security. The attacker is dependent upon the trust placed in the system and its security strategy. Trust is the ultimate enabler for the attacker.
We must have security strategies that are designed around constant awareness and perpetual doubt that must be constantly overcome. This means accepting a modest amount of inconvenience that challenges every security assumption at every turn.
The verification and validation of the user each and every time is essential to security. Verification and validation does not mean validating a trusted credential, but actual validation and verification of the person. This means momentarily stepping out of the digital universe and into the universe in which human users exist.
© 2016 On!iUs Inc., 15250 Heather Mill Lane, Haymarket, Virginia 20169, USA. All Rights Reserved.