Recent news about the NSA accessing personal information, and allegations of Canadian officials spying on their Brazilian counterparts, has brought surveillance and security issues to the public eye once again. Because network security is one of my areas of specialization, people often come to me when topics such as these ones make the headlines. Everybody is quick to scrutinize the technology – what was wrong with the technical solution, the architect or the network. However, in my opinion, we often overlook one of the most dangerous vectors of a security attack: social engineering.
Social engineering refers to the manipulation of people – convincing them to divulge personal information. I don’t believe most people would willingly give up their usernames and passwords, but an efficient social engineer has multiple points of contact and knows how to put all the little pieces together to eventually gain unauthorized access to a secure network or system.
I was recently at an IT conference where I saw someone wearing a t-shirt that said “Social engineering – because there is no patch for human stupidity.” It made me laugh because it’s very true. We diligently strengthen computer infrastructures, servers and datacentres with patches to overcome security flaws so that they are no longer vulnerable. But it’s hard to do the same with people because it requires fighting human nature. Social engineers capitalize on people’s good nature and trust, and that’s what makes it so hard to protect against it.
I also recently listened to a presentation by Kevin Mitnick, a former hacker who now runs a security consultancy called Mitnick Security. Mitnick has said that it’s easier to convince someone to reveal their password than it is to crack a system, and we should believe him because he has years of experience doing just that.
Here’s an example of how an effective con artist might use social engineering: First, this person might do some research to find out the names and positions of the influential people in your company. Then they call you up at work and say they are from the company’s help desk, and they name-drop to establish credibility and legitimacy. A lot of us who work at larger companies wouldn’t know the help desk person by name, but if the person was convincing enough, they may be able to get you to divulge your username and password. For example, they might say something like, “We just had a network incident and we need to generate a new username and password. Was your username this?” Over the course of the conversation, you reveal enough information that it can be used in another conversation with someone else. At the end of the series of conversations, this person has gleaned enough information to gain access to the company’s network.
In years past, corporate IT was central in dictating how users accessed systems and information. The recent consumerization of IT trend has firmly entrenched the user as the center of the IT universe. Network security has had to become more dynamic and nimble as corporations want to provide anywhere-anytime-any device type access for users to information and applications. The old security rules don’t apply anymore as companies roll out BYOD programs and promote flex-work schedules based on remote access.
For this reason, when I talk to customers about security, one of the first things I like to discuss is the human angle. The best antidote to social engineering is to educate your user base, not just about password security but also topics that are beyond the obvious. Engender a culture of healthy skepticism. Encourage users to question everything to a certain degree. Provide people with the necessary tools to qualify requests for information that may be carefully disguised social engineering tactics. Develop a robust security policy. Security policies aren’t a sexy topic but they are necessary and important because they work.