The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [38]
Educate, Educate, and Educate ...
There’s an old story about a visitor to New York who stops a man on the street and asks, “How do I get to Carnegie Hall?” The man answers, “Practice, practice, practice.” Everyone is so vulnerable to social engineering attacks that a company’s only effective defense is to educate and train your people, giving them the practice they need to spot a social engineer. And then keep reminding people on a consistent basis of what they learned in the training, but are all too apt to forget.
Everyone in the organization must be trained to exercise an appropriate degree of suspicion and caution when contacted by someone he or she doesn’t personally know, especially when that someone is asking for any sort of access to a computer or network. It’s human nature to want to trust others, but as the Japanese say, business is war. Your business cannot afford to let down its guard. Corporate security policy must clearly define appropriate and inappropriate behavior.
Security is not one-size-fits-all. Business personnel usually have disparate roles and responsibilities and each position has associated vulnerabilities. There should be a base level of training that everyone in the company is required to complete, and then people must also be trained according to their job profile to adhere to certain procedures that will reduce the chance that they will become part of the problem. People who work with sensitive information or are placed in positions of trust should be given additional specialized training.
Keeping Sensitive Information Safe
When people are approached by a stranger offering to help, as seen in the stories in this chapter, they have to fall back on corporate security policy that is tailored as appropriate to the business needs, size, and culture of your company.
Never cooperate with a stranger who asks you to look up information, enter unfamiliar commands into a computer, make changes to software settings or—the most potentially disastrous of all—open an email attachment or download unchecked software. Any software program—even one that appears to do nothing at all—may not be as innocent as it appears to be.
note
Personally, I don’t believe any business should allow any exchange of passwords. It’s much easier to establish a hard rule that forbids personnel from ever sharing or exchanging confidential passwords. It’s safer, too. But each business has to assess its own culture and security concerns in making this choice.
There are certain procedures that, no matter how good our training, we tend to grow careless about over time. Then we forget about that training at crunch time, just when we need it. You would think that not giving out your account name and password is something that just about everybody knows (or should know) and hardly needs to be told: it’s simple common sense. But in fact, every employee needs to be reminded frequently that giving out the account name and password to their office computer, their home computer, or even the postage machine in the mail room is equivalent to giving out the PIN number for their ATM card.
There is occasionally—very occasionally—a quite valid circumstance when it’s necessary, perhaps even important, to give someone else confidential information. For that reason, it’s not appropriate to make an absolute rule about “never.” Still, your security policies and procedures do need to be very specific about circumstances under which an employee may give out his or her password and—most importantly—who is authorized to ask for the information.
Consider the Source
In most organizations, the rule should be that any information that can possibly cause harm to the company or to a fellow