So, you've got two firewalls, an intrusion prevention system [IPS] and antivirus software deployed, and you're feeling pretty good. Servers are patched, packets are being dropped, you're alerted when network traffic isn't behaving well and viruses are killed on the spot. Yep, life is good! So what's the problem?
Hackers can be quite clever, and often devious, when it comes to harvesting information from unsuspecting employees. Your helpdesk, IT staff and general user population care about helping, or sometimes just pacifying, people who need assistance. No matter how much your staff is paid, they can't be configured to drop calls like your firewall drops packets. In fact, most people want to be helpful if an innocent person needs assistance.
Social engineering can be a very fruitful technique for hackers, and it takes less time than trying to identify or bypass a firewall or IPS. Unfortunately, or fortunately, depending on whom you ask, the security administrator can't screen everyone's calls or ask for ID from every person stepping foot into your company. It's up to the rest of your staff, those non-configurable human beings, to filter out malicious requests that come in through the doorways and over the phone lines. Are they up to the task? The best way to prepare them is to educate them on social engineering tactics they may encounter on and off the job.
Simply put, the art of social engineering involves clever ways of getting questions answered and then access to restricted areas or information. It can come in the form of a hacker posing as a helpdesk technician asking a user for his password, a network administrator, a distressed user, an electrician needing access to a communications closet, a fire-extinguisher technician needing access to the computer room, a janitor or any number of other believable personas. How hard would it be for some of these types of people to access a PC, or even your computer room? How many times have you asked for ID from electricians you've crossed paths with? If you found an "electrician" in a wiring closet, would you bother to question him? If you're like most people, you would assume everything is as it seems and carry on with your own daily tasks.
In addition to educating your staff, it's best to create company policies prohibiting the divulging of sensitive information over the phone or e-mail, tailgating through locked doorways and a policy requiring visitors to wear badges. I also highly recommend reading Kevin Mitnick's book on social engineering, called "The Art of Deception." By looking at the human factor of security, you will help prevent unauthorized access to your company's crown jewels.
Missed part of this series? Check out the online archive.
Related information
Improving employee awareness to fight malicious code
Let's face it: All of our efforts at improving employee awareness about malicious code have met with mixed success at best and at worst, complete failure.
Quiz: Security awareness for end users
Studies show that a company's biggest security threat is its own employees. The SANS Institute recommends that organizations should take time to educate their employees.
About the author
Vernon Haberstetzer, president of security seminar and consulting company i.e.security, has seven years of in-the-trenches security experience in healthcare and retail environments.
