The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [66]
By the time they hung up, Michael had downloaded the entire list of computer science graduates for those years. Within a few minutes he had run a search, located two Michael Parkers, chosen one of them, and obtained the guy’s social security number as well as other pertinent information stored in the database.
He had just become “Michael Parker, B.S. in Computer Science, graduated with honors, 1998.” In this case, the “B.S.” was uniquely appropriate.
Analyzing the Con
This attack used one ruse I haven’t talked about before: The attacker asking the organization’s database administrator to walk him through the steps of carrying out a computer process he didn’t know how to do. A powerful and effective turning of the tables, this is the equivalent of asking the owner of a store to help you carry a box containing items you’ve just stolen from his shelves out to your car.
mitnick message
Computer users are sometimes clueless about the threats and vulnerabilities associated with social engineering that exist in our world of technology. They have access to information, yet lack the detailed knowledge of what might prove to be a security threat. A social engineer will target an employee who has little understanding of how valuable the information being sought is, so the target is more likely to grant the stranger’s request.
PREVENTING THE CON
Sympathy, guilt, and intimidation are three very popular psychological triggers used by the social engineer, and these stories have demonstrated the tactics in action. But what can you and your company do to avoid these types of attacks?
Protecting Data
Some stories in this chapter emphasize the danger of sending a file to someone you don’t know, even when that person is (or appears to be) an employee, and the file is being sent internally, to an email address or fax machine within the company.
Company security policy needs to be very specific about the safeguards for surrendering valued data to anyone not personally known to the sender. Exacting procedures need to be established for transferring files with sensitive information. When the request is from someone not personally known, there must be clear steps to take for verification, with different levels of authentication depending on the sensitivity of the information.
Here are some techniques to consider:
• Establish the need to know (which may require obtaining authorization from the designated information owner).
• Keep a personal or departmental log of these transactions.
• Maintain a list of people who have been specially trained in the procedures and who are trusted to authorize sending out sensitive information. Require that only these people be allowed to send information to anyone outside the workgroup.
• If a request for the data is made in writing (email, fax, or mail) take additional security steps to verify that the request actually came from the person it appears to have come from.
About Passwords
All employees who are able to access any sensitive information—and today that means virtually every worker who uses a computer—need to understand that simple acts like changing your password, even for a few moments, can lead to a major security breach.
Security training needs to cover the topic of passwords, and that has to focus in part on when and how to change your password, what constitutes an acceptable password, and the hazards of letting anyone else become involved in the process. The training especially needs to convey to all employees that they should be suspicious of any request that involves their passwords.
On the surface this appears to be a simple message to get across to employees. It’s not, because to appreciate this idea requires that employees grasp how a simple act like changing a password can lead to a security compromise. You can tell a child “Look both ways before crossing the street,” but until