The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [88]
Before admitting an off-site employee to the premises, suitable procedures must be followed to verify that the person is truly an employee; receptionists and guards must be aware of methods used by attackers to pretext the identity of an employee in order to gain access to company buildings.
How about protecting against the attacker who cons his way inside the building and manages to plug his laptop into a network port behind the corporate firewall? Given today’s technology, this is a challenge: conference rooms, training rooms, and similar areas should not leave network ports unsecured but should protect them with firewalls or routers. But better protection would come from the use of a secure method to authenticate any users who connect to the network.
Secure IT!
A word to the wise: In your own company, every worker in IT probably knows or can find out in moments how much you are earning, how much the CEO takes home, and who’s using the corporate jet to go on skiing vacations.
It’s even possible in some companies for IT people or accounting people to increase their own salaries, make payments to a phony vendor, remove negative ratings from HR records, and so on. Sometimes it’s only the fear of getting caught that keeps them honest ... and then one day along comes somebody whose greed or native dishonesty makes him (or her) ignore the risk and take whatever he thinks he can get away with.
There are solutions, of course. Sensitive files can be protected by installing proper access controls so that only authorized people can open them. Some operating systems have audit controls that can be configured to maintain a log of certain events, such as each person who attempts to access a protected file, regardless of whether or not the attempt succeeds.
If your company has understood this issue and has implemented proper access controls and auditing that protects sensitive files—you’re taking powerful steps in the right direction.
chapter 11
Combining Technology and Social Engineering
A social engineer lives by his ability to manipulate people into doing things that help him achieve his goal, but success often also requires a large measure of knowledge and skill with computer systems and telephone systems.
Here’s a sampling of typical social engineering scams where technology played an important role.
HACKING BEHIND BARS
What are some of the most secure installations you can think of, protected against break-in, whether physical, telecommunications, or electronic in nature? Fort Knox? Sure. The White House? Absolutely. NORAD, the North American Air Defense installation buried deep under a mountain? Most definitely.
How about federal prisons and detention centers? They must be about as secure as any place in the country, right? People rarely escape, and when they do, they are normally caught in short order. You would think that a federal facility would be invulnerable to social engineering attacks. But you would be wrong—there is no such thing as foolproof security, anywhere.
A few years ago, a pair of grifters (professional swindlers) ran into a problem. It turned out they had lifted a large bundle of cash from a local judge. The pair had been in trouble with the law on and off through the years, but this time the federal authorities took an interest. They nabbed one of the grifters, Charles Gondorff, and tossed him into a correctional center near San Diego. The federal magistrate ordered him detained as a flight risk and a danger to the community.
His pal Johnny Hooker knew that Charlie was going to need a good defense attorney. But where was the money going to come from? Like most grifters, their money had always gone for good clothes, fancy cars, and the ladies as fast as it came