Thursday, July 30, 2009

Social Engineering - The biggest Threat to Security is still You and your People

Social Engineering - Are you Tempted?
Whether they are going through the eTrash, dumpster diving, pod slurping, or impersonating other people, our constant companions, the hackers know that social engineering is still the best way to by-pass security.

People Skills
Social engineering finds and hits directly at our weak spot, you're a nice gal /guy, a people person and people are still the weakest link in security. Yes, it is difficult to change this because it means changing people's attitude and behaviour. Plus you have just spent 10's of thousands of Dollars, Pounds and Euros, to give them better customer facing skills.

Why? It Works!
Why are hackers still using social engineering to gain access to organisations? Because it still works better than anything else and it provides quicker results. It's easier to infiltrate an organisation via the people because the security is focused elsewhere, on the building and on Technology. Plus your guard is down, your complacent because you 'think' you are secure.

Who? People!
Front-of-House contact people are the most succeptible to intrusions. Partly because they form the first barrier but also because they are often bored, busy, isolated. Almost certainly, the least aware, uninformed or not adequately trained, concerning social engineering techniques and their risk to security. After all, who doesn't like to help a nicely dressed, sexy gal /guy and be rewarded by a smile, a compliment or just some friendly attention? What 'bait' would work on you?

What are the most likely vulnerabilities versus bad behaviours:

1. People want to be, and are trained to be helpful and co-operative. Sometimes this help can go too far and they give away too much information. - Make it clear to them what they can and cannot reveal, in writing.

2. People want to avoid confrontation and are trained towards compromise. It's difficult for some people to ask others to prove who they are. They don't like or want confrontation, especially with a possible 'authority' figure. Support your staff's doubts and back them up, review and clarify their decisions.

3. People like convenience and easy options. No one wants to take the complex additional security check route because they are busy or distracted, even if it may protect or benefit the organisation. Make the secure route the easy option for your staff.

4. People are messy, unorganised and easily distracted. They leave paper around, leave screens open to view, copy multiple people on e-mails, gossip and leak data. Provide them with pleasant incentives to change their behaviour and give them other, more positive things to talk about.

5. People are curious, inquisitive creatures. A great example is an employee who finds a USB drive in the parking lot. The first thing they do when they get to their desk is plug it in to see what's on it. You have to tell them why this is a threat to security and also a violation of someone else's privacy.

Is there light?
Social engineering attacks are some of the most difficult to defend against, but not all is darkness. Your greatest weapon is training and education. Maintaining awareness of current threat profiles and passing those on as a simple and easy to implement 'cheat sheet' or guidelines. Address all of peoples' senses, sight, sound and listenning. Use the technology Podcasts, MP3s, YouTube Videos, Twit and Facebook them. Whatever it takes.

Technical Barriers
There are very few technical solutions to people problems but here are some technical controls that are sensible to put in place:

* Lock down or limit capability of all peripheral devices, especially USB ports. There are now many commercial products that allow security administrators to completely lock down USB ports. This might be difficult but not impossible, because many devices are connected via USB ports.
* Use Data Loss Prevention techniques and products. Know who has access to your data, when they access it, and what they are accessing. Not very effective if someone's profile has been duplicated, stolen or access has been incorrectly allowed.
* Use encryption on every device and wherever systems talk to systems.

Remember 'If your employees don't know what social engineering is and how it operates, why should they change their behaviour?" You are the Agent of Change! Make it so!

No comments:

Post a Comment