 |
|
 |
|
|
Redspin Security Management Advisory
|
 Back To Redspin Security Management Advisory Headlines
|
 |
Volume 8 | November 2008
|
 |
|
Redspin's third favorite social engineering story:
In a 2003 information security survey, office workers were asked for their password. 75% gave it up immediately; an additional 15% revealed it in exchange for a piece of chocolate.
|
|
|
Every company's strongest asset? Employees.
Every company's weakest security link? Employees.
Social engineering is the IT version of the classic con job. A con man tries to gain the confidence of his mark in order to steal the money from under their mattress; a social engineer tries to take advantage of his mark's naiveté to gain access to a computer network.
The Bad guys usually work from the safety of their own homes, and use the phone or the internet to troll for information. It's not complicated to send out e-mails to employees directing them to a dummied-up company web-site with "Killer Discounts for Employees! Enter Your Password Here!" It's also not that hard to call a dozen people at a company and tell them you're from technical support. One of them is actually going to have a computer problem, and will be thrilled that IT is finally getting back to them.
Redspin's second favorite social engineering story:
While doing a social engineering audit at a bank, a Redspin engineer got a hold of Jane. Jane was very friendly. Our engineer got her to help out "Joe, the IT guy" on the phone by changing her password to one that he chose. Then customer-friendly-Jane offered, "As long as I'm here, would you like me to change the password on all the other workstations?" How could we refuse?
You can spend big bucks to put in the latest and greatest firewalls, to make sure that every computer is locked down like Fort Knox — but it won't matter if your employees hand over the keys to the kingdom to a smooth talking con man.
|
|
What's a conscientious manager to do?
- Training.
Awareness is 90% of your battle. Your employees can be trained to be courteous, but also be trained to pass anything questionable up the chain of command. Trust but verify.
- Limit information leaving your network.
Everyone has firewalls that keep bad information out — make sure that employees who don't need to send information out of the network have the appropriate limitations.
- Strong password policy.
While you don't want a password policy so tough that all the employees write their password on a sticky note on the keyboard, you also don't want passwords that can be hacked by a Commodore 64.
- Conscientious IT.
Make sure all programs are currently up to date, so that outdated programs don't open holes in your system. Also, don't make all users Administrators.
Redspin's favorite social engineering story:
We were doing a social engineering audit of a bank, and called the fourth person on our list. As soon as our engineer started in on his script — "Hi, I'm working with Jack over in IT, and..." — the person on the other end of the line said, "Is this a social engineering call?" and hung up on us.
Redspin's audits create results
Since Redspin is a pure auditing firm, we were thrilled that one of our audits actually created a solution; just the act of auditing this bank raised awareness amongst all the tellers and employees to be more vigilant about with whom they share information.
While there will always be gullible people and con men to take advantage of them, training and awareness work to minimize that risk.
|
|
|
 |
