Kevin Mitnick, perhaps one of the security world’s most famous convicted hackers, now spends much of his time consulting on matters of IT security for various institutions, and his message is clear, real, and while not old, definitely fresh for some ears. Social Engineering is a much greater threat than viruses, worms, and other software threats. While the software threats are ever present and ever changing, computers can be designed to protect against them, to see them coming, and to defend themselves, without the user having to know much more than how to install the preventative software. However, when it comes to social engineering, the human factor comes into play and only well-trained staff can stave off the wave of attacks performed that way.
I often joke with friends about how easy it would be to call someone who left a reciept in the gas pump before I pull up and pretend to be from their bank, verifying their personal information using only their name, a phone book, and the last four letters of their credit card, and how people should definitely be more careful with their personal information-everything from those pesky credit card applications you get in the mail to, of course, gas station and ATM reciepts-all of it can lead to identity theft if a talented and intelligent social engineer or hacker gets their hands on them. Kevin Mitnick, thankfully, agrees with me. He proposes that organizations create a “human firewall” of sorts, where red flags go up in people’s heads when the wrong questions are being asked out of the blue, or someone can’t provide the identity verification they need to, or when someone is asking questions they should probably know the answers to.
Social engineering isn’t just easy, it’s a significant threat. I read stories about someone walking in to an executive’s office one day, dressed well, and says he’s from IT and here to look at the “Outlook problem” he had been having. The executive, happy someone had come, didn’t even mention that he didn’t recall having a problem, but let the gentleman sit at his computer and begin working. A few minutes later, the man got up, told him “it should be better now,” and left with a keydrive full of the executive’s confidential corporate data. Whether the story is true or not, we can all see it happening easily, when we live in a world where many people can’t remember the names of their IT support staff much less their faces, or ubiquitously yield our information to anyone who asks because we assume authority. I don’t think anyone’s suggesting you stonewall the people who are there to help you, but be cautious about giving our your information, and if it feels wrong, dig a little deeper.
That’s my two cents, here’s PC World’s:
[ http://www.pcworld.com/news/article/0,aid,121922,tk,dn072205X,00.asp ]