The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [5]
Finally, I’ve provided a Security at a Glance section, which includes checklists, tables, and charts that summarize key information you can use to help your employees foil a social engineering attack on the job. These tools also provide valuable information you can use in devising your own security-training program.
Throughout the book you’ll also find several useful elements: Lingo boxes provide definitions of social engineering and computer hacker terminology; Mitnick Messages offer brief words of wisdom to help strengthen your security strategy; and notes and sidebars give interesting background or additional information.
part 1
behind the scenes
chapter 1
Security’s Weakest Link
A company may have purchased the best security technologies that money can buy, trained their people so well that they lock up all their secrets before going home at night, and hired building guards from the best security firm in the business.
That company is still totally vulnerable.
Individuals may follow every best-security practice recommended by the experts, slavishly install every recommended security product, and be thoroughly vigilant about proper system configuration and applying security patches.
Those individuals are still completely vulnerable.
THE HUMAN FACTOR
Testifying before Congress not long ago, I explained that I could often get passwords and other pieces of sensitive information from companies by pretending to be someone else and just asking for it.
It’s natural to yearn for a feeling of absolute safety, leading many people to settle for a false sense of security. Consider the responsible and loving homeowner who has a Medico, a tumbler lock known as being pickproof, installed in his front door to protect his wife, his children, and his home. He’s now comfortable that he has made his family much safer against intruders. But what about the intruder who breaks a window, or cracks the code to the garage door opener? How about installing a robust security system? Better, but still no guarantee. Expensive locks or no, the homeowner remains vulnerable.
Why? Because the human factor is truly security’s weakest link.
Security is too often merely an illusion, an illusion sometimes made even worse when gullibility, naïveté, or ignorance come into play. The world’s most respected scientist of the twentieth century, Albert Einstein, is quoted as saying, “Only two things are infinite, the universe and human stupidity, and I’m not sure about the former.” In the end, social engineering attacks can succeed when people are stupid or, more commonly, simply ignorant about good security practices. With the same attitude as our security-conscious homeowner, many information technology (IT) professionals hold to the misconception that they’ve made their companies largely immune to attack because they’ve deployed standard security products—firewalls, intrusion detection systems, or stronger authentication devices such as time-based tokens or biometric smart cards. Anyone who thinks that security products alone offer true security is settling for the illusion of security. It’s a case of living in a world of fantasy: They will inevitably, later if not sooner, suffer a security incident.
As noted security consultant Bruce Schneier puts it, “Security is not a product, it’s a process.” Moreover, security is not a technology problem—it’s a people and management problem.
As developers invent continually better security technologies, making it increasingly difficult to exploit technical vulnerabilities, attackers will turn more and more to exploiting the human element. Cracking the human firewall is often easy, requires no investment beyond the cost of a phone call, and involves minimal risk.
A CLASSIC CASE OF DECEPTION
What’s the greatest threat to the security of your business assets? That’s easy: the social