Last Friday, I joined Kai Axford and we went and saw Kevin Mitnick present on the Art of Deception and the danger of being conned. You can read Kai’s write up of the event here: Mitnick and Me. Also look for Kai to get a TechNet Radio interview with Kevin. I have to tell you it was enthralling and very eye opening. So I wanted to have a blog post and share some insight I gained from listening to Kevin speak.
Kevin spent his entire talk discussing the weakest link in the chain in regards to security in our day and age. What is that link? Us, People, our Users. The nature of social engineering makes it the greatest threat to our networks. After hearing Kevin speak I believe this even more. I also came to a conclusion that even though we call it social engineering, it really is an elaborate and well though out con job where the attacker is trying to gain a sense of trust and confidence of his target.
So why is social engineering the greatest threat?
Kevin discussed several examples of attacks he had heard of and they were frighteningly simple. Simple calls into your help desk, receptionist, or even accounting department can turn into security nightmares for your organizations. Why is that? Kevin called it holes in the human firewall (I really like that phrase):
Let’s face it there is no patch for human gullibility. I know the phrase is supposed to contain the word stupid, but after hearing the talk, I am convinced anyone is open to these kind of attacks.
What are the holes?
So how can we help improve the human firewall? This really involves your whole organization and needs involvement from top management. This also involves looking at all the information inside your organization and treat it all like gold! Some bits of information may seem trivial but you have to ask yourself, what if I combine all the pieces of “trivial” information. The answer may surprise and startle you.
What are some measures you can take to help protect your company?
If some of this information resonates with you I recommend taking a look at some the additional resources I have listed below.
Kevin’s Security Consulting: http://www.kevinmitnick.com/company.php
(looks like I have some books to for the book of the month club. :-) )