Last Friday, I joined Kai Axford and we went and saw Kevin Mitnick present on the Art of Deception and the danger of being conned.  You can read Kai’s write up of the event here:  Mitnick and Me.  Also look for Kai to get a TechNet Radio interview with Kevin.  I have to tell you it was enthralling and very eye opening.  So I wanted to have a blog post and share some insight I gained from listening to Kevin speak.

Kevin spent his entire talk discussing the weakest link in the chain in regards to security in our day and age. What is that link? Us, People, our Users. The nature of social engineering makes it the greatest threat to our networks. After hearing Kevin speak I believe this even more. I also came to a conclusion that even though we call it social engineering, it really is an elaborate and well though out con job where the attacker is trying to gain a sense of trust and confidence of his target.

So why is social engineering the greatest threat?

  • hacker-headlineEasy --- After hearing Kevin. I firmly believe there is definitely a good deal of planning that goes into these types of attacks but the entry point for most of these attacks is a simple phone call.  He shared some examples that were easy, his books listed below have even more!
  • No Intrusion Detection System --- Since people are involved, unless they are trained, and follow company policies to the letter there are no magical warning bells.
  • Low Cost --- The attacks usually start with phone calls, and in most cases these are toll free numbers.
  • Low Risk --- Most attacks start with simple questions and calls, and in most cases the person that has been targeted is not even expecting or perceiving an attack.
  • O/S Neutral --- Social engineering attacks bypass all technical loads and the person being targeted does all the work for the attacker.

firewallKevin discussed several examples of attacks he had heard of and they were frighteningly simple. Simple calls into your help desk, receptionist, or even accounting department can turn into security nightmares for your organizations. Why is that? Kevin called it holes in the human firewall (I really like that phrase):

Let’s face it there is no patch for human gullibility. I know the phrase is supposed to contain the word stupid, but after hearing the talk, I am convinced anyone is open to these kind of attacks.

 

What are the holes?

  • Sense of invulnerability ---- That will not happen to me! I am smarter than that! One of the demos that Kevin showed during his session was a program called Asterisk. It was a voicemail scamming program that clones a company’s auto attendant system. Very scary stuff!
  • People are naturally trusting and helpful --- This is just human nature and it is a good thing but something you need to be aware of.
  • Security procedures are seen as a waste --- how many times have you said, those rules do not apply to me!
  • Cannot say no --- Heck nobody likes to tell people no, there is even a device called a telephone butler that tells no for you when telemarketers call.

So how can we help improve the human firewall? This really involves your whole organization and needs involvement from top management. This also involves looking at all the information inside your organization and treat it all like gold! Some bits of information may seem trivial but you have to ask yourself, what if I combine all the pieces of “trivial” information. The answer may surprise and startle you.

What are some measures you can take to help protect your company?crosscut_shredder

  • Defend and Define enterprise policies and stick to them! ---- Especially when it comes to throwing sensitive materials away, in other words buy a cross shredder! :-)
  • Educate, Educate, Educate --- This is the most important part to educate yourself and your people first and foremost about policies and let them know it is okay to say no.
  • Do a test periodically ---- Test your policies - pose as another person and call into your business and try to get information or do your own dumpster diving.
  • Use Technology to remove employee decision making where it makes sense for organization --- Obviously we need to be involved in our company’s business but in some cases

If some of this information resonates with you I recommend taking a look at some the additional resources I have listed below.

Resources:

Kevin’s Security Consulting: http://www.kevinmitnick.com/company.php

Books:

(looks like I have some books to for the book of the month club.  :-) )