TaoSecurity: “Protect the Data” Where?

From one of my favorite blogs, TaoSecurity:

I forgot to mention another thought in my last post “Protect the Data” from Whom? Intruders are not mindly attacking systems to access data. Intruders direct their efforts toward the sources that are easiest and cheapest to exploit. This produces an interesting corollary.

Once other options have been eliminated, the ultimate point at which data will be attacked will be the point at which it is useful to an authorized user.

For example, if a file is only readable once it has been decrypted in front of a user, that is where the intruder will attack once his other options have been exhausted. This means that the only way to completely “protect data” is to make it unusable. If data is not usable then it doesn’t need to exist, so that means intruders will always be able to access data if they are sufficiently resourced and motivated, as explained in my first post on this subject.

This meshes pretty well with my philosophy on information security — it doesn’t matter how much security you layer onto the server side. For any sufficiently secure system, your weakest point of potential compromise is almost always going to be your clients. Banks and online payment services (such as Paypal) have learned this the hard way. For every breach, no matter how insignificant, there are millions of successful phishing attacks.

So many system administrators forget about the client side of things because it’s not their job. Big mistake.