The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [100]
Of course, corporate security policy should mandate system administrators to enforce security policy through technical means whenever possible, with the goal of not relying on fallible humans any more than necessary. It’s a no-brainer that when you limit the number of successive invalid login attempts to a particular account, for example, you make an attacker’s life significantly more difficult.
Every organization faces that uneasy balance between strong security and employee productivity, which leads some employees to ignore security policies, not accepting how essential these safeguards are for protecting the integrity of sensitive corporate information.
If a company’s policies leave some issues unaddressed, employees may use the path of least resistance and do whatever action is most convenient and makes their job easier. Some employees may resist change and openly disregard good security habits. You may have encountered such an employee, who follows enforced rules about password length and complexity but then writes the password on a Post-it note and defiantly sticks it to his monitor.
A vital part of protecting your organization is the use of hard-to-discover passwords, combined with strong security settings in your technology.
For a detailed discussion of recommended password policies, see Chapter 16.
chapter 12
Attacks on the Entry-Level Employee
As many of the stories here demonstrate, the skilled social engineer often targets lower-level personnel in the organizational hierarchy. It can be easy to manipulate these people into revealing seemingly innocuous information that the attacker uses to advance one step closer to obtaining more sensitive company information.
An attacker targets entry-level employees because they are typically unaware of the value of specific company information or of the possible results of certain actions. Also, they tend to be easily influenced by some of the more common social engineering approaches—a caller who invokes authority; a person who seems friendly and likeable; a person who appears to know people in the company who are known to the victim; a request that the attacker claims is urgent; or the inference that the victim will gain some kind of favor or recognition.
Here are some illustrations of the attack on the lower-level employee in action.
THE HELPFUL SECURITY GUARD
Swindlers hope to find a person who’s greedy because they are the ones most likely to fall for a con game. Social engineers, when targeting someone such as a member of a sanitation crew or a security guard, hope to find someone who is good-natured, friendly, and trusting of others. They are the ones most likely to be willing to help. That’s just what the attacker had in mind in the following story.
Elliot’s View
Date/time: 3:26 A.M. on a Tuesday morning in February 1998.
Location: Marchand Microsystems facility, Nashua, New Hampshire
Elliot Staley knew he wasn’t supposed to leave his station when he wasn’t on his scheduled rounds. But it was the middle of the night, for crying out loud, and he hadn’t seen a single person since he had come on duty. And it was nearly time to make his rounds anyway. The poor guy on the telephone sounded like he really needed help. And it makes a person feel fine when they can do a little good for somebody.
Bill’s Story
Bill Goodrock had a simple goal, one he had held on to, unaltered, since age twelve: to retire by age twenty-four, not ever touching a penny of his trust fund. To show his father, the almighty and unforgiving banker, that he could be a success on his own.
Only two years left and it’s by now perfectly clear he won’t make his fortune in the next twenty-four months by being a brilliant businessman and he won’t do it by being a sharp investor. He once wondered about robbing banks with a gun but that’s just the stuff of fiction—the risk-benefit