This is due rather to the fact that information security management system are poorly designed and sometimes non-existent processes, covering the fundamental vulnerability. Below these levels, I mean the category of processes or foundation on which rests and operates the system IB. Once on which any of the levels arises gap immediately appears a loophole for the attacker. Levels of vulnerability – Physics – Technology – Logic – Human – Legislative – Organizing Physics – responsible for physical security and access. These are the doors, locks, windows, methods of access to information sources, security personnel. Technology – is responsible for technical means of protection. This alarms, video cameras, intrusion detection systems, firewalls, detection bookmarks, noise generators, etc. Logical – is responsible for logic or whether all the logical functions? Correctly set up access lists on the firewall is correctly placed guard posts on the subject, correctly placed sensors and cameras.
It is very often controversial issues, and sometimes these or other rules depend on object and the environment. Human – is responsible for the human factor. This level of vigilance and awareness of staff. This is how disciplined guards. The human factor is one of the most vulnerable levels, it is through people very often flowed and flowing out good defense information to foreign intelligence services and that this factor, many companies paid very little attention. Legislative – this level responsible for the legislation. This is how all the legal structure and functioning within the law.
Does the storage of information, for example, which is state. secrecy laws and standards set state. Organizing – is responsible for organizing all the processes and functions. It's regulations, policies, guidelines, regulations, incident response plan, protocols, etc. This level is in essence similar to Legislature. These five levels are interrelated with each other, they complement each other and should be controlled, otherwise, the infrastructure is poorly protected against current threats. Why? The thing is that in the real situation is usually targeted attacker attacking and penetrating into the infrastructure company, operates on the principle of the easiest to most difficult. If he fails to break through the perimeter network, it will try to steal passwords from employees, playing on the human factor, and if that fails, he tries to get physical access to information sources and so on. In this case, the attacker operates on the principle of flexibility and sooner or later finds a loophole. Personally, in my opinion, the most poorly protected companies present the first three levels are: first – physical, which in fact turns out to be vulnerable due to lack of rest. Second – technical, which is imperfect and needs strengthening, due to lack of rest. The third – the logical, which is imperfect.