Often the weakest link in security is not technology, but the people who use it.
People let their guard down to attackers when they are tired or distracted by work. Some feel intimidated. Others just make honest mistakes. Social engineering is often what allows attackers to steal the information they desire.
Humans can be manipulated. Often the easiest way to get around security systems is by gaining the confidence of the people who work at the targeted company.
For example, famous hacker Kevin Mitnick doesn't have extraordinary technical skills, said Richard Mogull, research director with Gartner's G2, at the company's Information Security Conference 2002 on Wednesday. "Why get through a firewall when you can convince someone at the company to give you their username and password," he said.
Firewalls, intrusion detection systems and antivirus software are just tools to improve security. But dealing with people is what's critical as most security breaches come from within an organization, Mogull said.
Companies need to foster a culture that is conscious of social engineering, Mogull said. Employees need to be aware of the techniques that attackers use to compromise security.
"Management also needs to realize that security is more than just a line item in the IT budget. It's both a business process and educational issue," Mogull said.
Social engineering comes in many flavors. One kind may involve an attacker getting to know a person intimately and then using that knowledge to steal vital information. Sifting through garbage for sensitive information is another kind of tactic called dumpster diving. Then there is "phreaking" or trying to break into voicemail boxes. Often, users set their voicemail password to the same number as their extension.
Another very successful method is calling IT support pretending to be a "hopeless user." This method allows an attacker to learn about the login process. Such an approach plays off another element of social engineering, namely gaining the trust of the support person by making him feel good about himself, Mogull said.
An attacker can also pickpocket a PDA full of contacts and passwords. There is also reverse social engineering. This involves an attacker calling someone and leaving a message about a problem. The target calls back but then the attacker requires them to verify their password and other sensitive information.
Combating social engineering requires educating employees about such techniques, Mogull said. It also requires sound policies. Proper password procedures are an important area to focus on.
Ensuring strong passwords is critical, Mogull said. Family names or nicknames are bad. Anniversaries or birthdays are out. Pet names are out. Sports teams are taboo. "What if someone sneaks into the office and sees you have a Green Bay Packers poster? Guessing your password is something like 'Go Packers' isn't very difficult," he said.
Using the same password for both work and personal accounts is a dangerous practice, Mogull said. What if you use your work password at an untrustworthy Web site? Unique passwords are important.
There are tools available that allow users to reset their own password by requiring them to filling in some information that would be hard for an attacker to learn. Such a step removes IT from the password dolling business. Under such a case, an attacker can't pose as an IT worker to get a password.