[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ISN] Up close and personal with the social hackers
By Eric Wilson
August 26, 2003
Is your IT security training up to scratch? Take this simple test to
"It's the IT department on the phone, and it's urgent. We've had a
system crash and we've had this terrible MSBLASTER worm and your team
is at risk. We need your password to remotely install a patch."
At this point, many people will be hacked - not by the worm, but by
the guy with the authoritative voice on the telephone. He's now been
given a valid user name and password. Yours. By the time your real IT
department detects and tracks down the intruder, he'll be long gone.
In fact, the "terrible MSBLASTER worm" was probably zapped by your
corporate firewall long before it could reach your machine.
Steve Bittinger, Gartner Group's security research director, says this
kind of "social engineering" hack happens every day because companies
haven't trained their staff to know when they're being conned.
"It's easy to point the finger at worms and firewalls, but in the end,
the really big losses come from social engineering," Bittinger says.
"They play sides of the organisation against each other, collecting
more information each time around the loop."
Here's another bit of social hacking, but this time the hack is made
at the IT department's expense.
"I've just joined the accounts department and the piece of paper you
gave me yesterday - well, I lost it. Could you please give me my user
name and password again?"
The system administrator checks and yes, Bill McCoy did join the
accounts department yesterday. But the administrator doesn't realise
that he isn't talking to the real McCoy, but some outsider who hangs
around the cafeteria, gathering information.
Potential social hackers also include couriers, telephone installers
or anyone else allowed to walk around your office.
"The kind of training these ordinary non-technical people need is to
know what these risks look like," Bittinger says. "People's notebooks
disappear off their desks at lunchtime when a contractor or
consultant-looking person walks off with them."
Bittinger says companies are being told to spend 90 per cent of their
security training budget on three groups - system administrators,
software developers and senior management. For senior management, it's
not the technical know-how that's needed but a knowledge of basic IT
security principles to help them make wise decisions. But
unfortunately, this formula only leaves 10 per cent of security
training for everyone else.
"Some organisations are using e-learning to keep costs down,"
"One of the largest universities in Australia was telling me they had
tremendous success identifying a security focal-point person in every
department. They meet once a month, so they are not trying to train
thousands of people."
Whatever the method, people need to be trained to recognise suspicious
Then they need to be motivated to get involved.
"Often people say 'Yeah, I did see a guy over there by John's desk,
but I thought there must have been something wrong with his computer.'
They need to know what to do. Does the secretary want to confront him
or should she call someone?"
For small businesses, social hacking is less of a problem -everyone
knows everyone's movements and activities - but because small to
medium-sized business do not have designated IT staff they are often
more vulnerable to the usual forms of hacking, such as remote
penetration through the internet.
For Natasha David, IDC's research manager of infrastructure and
training, the enemy of small business is business as usual. "When you
look at small business training for internet security, there is no
training," she says. "It's not because they don't want to - they have
no time. They are more likely to be sent away on industry-specific
David says that even in big companies, the IT security training budget
is a grim-looking affair. And since good security involves
implementing and sticking with prudent management procedures, as well
as technologies, that's not good.
"They don't have the budget," she says. "So it's falling more to the
IT vendor to provide the training with the licence. In order to make
the sale, they are saying 'OK, we'll provide training as well'."
But the best training, which probably won't be vendor-specific, is all
for naught unless the proper motivation is maintained. Both
researchers say incentives need to be built in to keep people alert.
"In case the slammer worm comes around, you need a fire-alarm-like
training drill," David says.
"In a fire-like situation, you have another set of rules that take
over the normal operating environment. You need incentives and
disincentives to make people aware of it."
Of even more concern is data theft. Even small businesses have
sensitive information to protect.
Natasha David says a doctor's surgery is the prime example of where
privacy is paramount, but the motivation for busy owner-doctors to
train for IT security is poor.
"The medical association might say, 'This is what you need to do to
secure your private information', but will he have his licence taken
away from him if he does not? I don't think so. At the end of the day,
there just isn't the incentive for doctors to get trained unless they
themselves become the victim a privacy breach."
Human nature is the biggest IT security problem.
It's human nature to keep ignoring a risk, especially one you can't
even see - until it actually hurts you.
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo@xxxxxxxxxxxxx with 'unsubscribe isn'
in the BODY of the mail.