Hackers can sometimes access a company's network without having to crack a single password. By socially engineering a staff member, they are often times granted free acce
Security is a hot topic these days. With information being such a profitable commodity, businesses are a target for a more sophisticated thief. The days of computer networks being hacked by kids with too much time on their hands is long over. Criminal organizations now use highly skilled technophiles to carry out sophisticated attacks that have the potential to cost millions to the victim. In light of this, businesses find themselves struggling to keep data secure and business practices in compliance with HIPPA and Sarbanes-Oxley.
With the advent of high profile attacks, such as the latest Zotob outbreak, or the more recent Exphook, businesses scramble to update their anti-virus software. The reactive belief also seems to be, spend lots of money on network security devices and that should protect us.
Being inundated by the constant malware threat, business security often overlooks the most dangerous, and most difficult to control, aspect of information security. Social engineering can cause more damage, and cost more dollars than viruses and spyware authors can often dream of.
For those unfamiliar with the term, let me define it with an example...
A young man working at a company's help desk gets an urgent call from a new senior manager. Apparently, his boss forgot to have his computer account set up. Now the help desk technician knows he is not supposed to set up temporary accounts, but after constant pleading, the manager is able to convince him that he needs this to complete a project vital to the company's success. Once the account is set up, the thief (posing as a manager) has access to confidential files and financial information.
Or how about the secretary who cleans out her boss' office after he receives a promotion? He doesn't need all of his old personnel files now that he works in the communications office, does he? In the trash they go. Later that night, a team of malicious hackers root through the company's garbage dumpster and find more than enough information to start their data heist.
Events like this do happen, unfortunately more than one would think. The trouble becomes that, as we grow more reliant on hardware devices to help prevent security breaches, training employees to recognize and prevent social engineering falls by the wayside.
So how do security professionals fight against the threat of social engineering? Education and auditing seem to be the key elements in alleviating this problem. Properly training employees to recognize this threat is step one, but the process needs to go further. Essentially, they need to be trained to forget everything they have learned about helping out a fellow employee. "Many of the most effective ways of reducing the vulnerability actually go against human nature: why wouldn't you hold the door open for someone if they had their hands full?" says Tim Ecott of Intergralis.
Lastly, employees need to be held accountable. Regular security audits should include a social engineering portion. This should take place at all levels of the organization though, not just at the gatekeeper level.
