[ISN] Why con artists are your biggest security threat

From: InfoSec News (isnat_private)
Date: Wed Apr 03 2002 - 23:19:20 PST

  • Next message: InfoSec News: "[ISN] Black Hat Briefings (Vegas) Call for Papers"

    Lee Schlesinger,
    Senior Technology Editor,
    ZDNet Tech Update
    Thursday, April 4, 2002  
    Bottom line: No product you can buy will protect you completely from
    the most serious threat to your network and your business.
    That's not what you want to hear after laying out six figures to arm
    yourself with firewalls, antivirus software, and intrusion-detection
    applications, is it? Nevertheless, forewarned is forearmed, and there
    is something you can do to fight this threat.
    I'M TALKING ABOUT social engineering, which is simply a fancy way of
    saying "getting people who should know better to do what you want." A
    recent CERT report notes that attempts to hornswoggle those of you
    using instant messaging and Internet Relay Chat (IRC) via social
    engineering are on the rise.
    Victims of these hoaxes are directed to sites that ostensibly will
    help them, but really plant Trojan horse programs on their computers.  
    Now what if the unsuspecting victim is infected with a Trojan horse at
    the office? It could be very costly to your business.
    So what can you do? Aside from disallowing IM applications in your
    enterprise, your best bet is to train employees against such cons.
    More common than the relatively impersonal social-engineering e-mail
    or IM is the telephone call from someone who seems to know what he's
    talking about. An unsuspecting staffer could disclose vital
    information like user IDs and passwords to someone with a good line of
    The one technology that could potentially deter this kind of caper is
    two-factor authentication. If a smooth-talking fraud gets one of your
    employees to give up user IDs and passwords, a second security layer
    such as biometrics or smart cards could stop that would-be intruder
    from accessing your network. But even if your company does employ such
    technology, a social engineer could still convince an employee to
    e-mail him information just as easily--or he may get all he needs on
    the phone.
    THE ONLY OPTION for preventing social-engineering intrusions is
    awareness. Learn the perpetrators' secrets. Train everyone your
    organization to recognize warning signs, like people who ask for
    sensitive information but refuse to give contact information. Simply
    asking for a phone number and verifying it is often enough to stop
    such theft. Beware of someone trying to use intimidation or flattery
    to extract information. And make sure your employees are confident and
    wary enough to outsmart tricksters.
    Here's another piece of advice: When one of your colleagues stops a
    social-engineering exploit, let others in the company know, in case he
    tries again. Hold an annual training session to heighten security
    awareness, and try staging mock break-ins once in a while to be sure
    people remember the lessons.
    You can't stop con artists from trying to take advantage of your
    employees and your business. But you can educate your workforce so
    they're prepared to deal with them. If you follow the guidelines I've
    set out, you're off to a good start.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Apr 04 2002 - 02:20:25 PST