[ISN] Up close and personal with the social hackers

From: InfoSec News (isnat_private)
Date: Wed Sep 03 2003 - 02:24:17 PDT

  • Next message: InfoSec News: "[ISN] Federal criminal complaint against Jeffrey Lee Parson"

    By Eric Wilson
    August 26, 2003
    Is your IT security training up to scratch? Take this simple test to
    see ...
    "It's the IT department on the phone, and it's urgent. We've had a
    system crash and we've had this terrible MSBLASTER worm and your team
    is at risk. We need your password to remotely install a patch."
    At this point, many people will be hacked - not by the worm, but by
    the guy with the authoritative voice on the telephone. He's now been
    given a valid user name and password. Yours. By the time your real IT
    department detects and tracks down the intruder, he'll be long gone.  
    In fact, the "terrible MSBLASTER worm" was probably zapped by your
    corporate firewall long before it could reach your machine.
    Steve Bittinger, Gartner Group's security research director, says this
    kind of "social engineering" hack happens every day because companies
    haven't trained their staff to know when they're being conned.
    "It's easy to point the finger at worms and firewalls, but in the end,
    the really big losses come from social engineering," Bittinger says.
    "They play sides of the organisation against each other, collecting
    more information each time around the loop."
    Here's another bit of social hacking, but this time the hack is made
    at the IT department's expense.
    "I've just joined the accounts department and the piece of paper you
    gave me yesterday - well, I lost it. Could you please give me my user
    name and password again?"
    The system administrator checks and yes, Bill McCoy did join the
    accounts department yesterday. But the administrator doesn't realise
    that he isn't talking to the real McCoy, but some outsider who hangs
    around the cafeteria, gathering information.
    Potential social hackers also include couriers, telephone installers
    or anyone else allowed to walk around your office.
    "The kind of training these ordinary non-technical people need is to
    know what these risks look like," Bittinger says. "People's notebooks
    disappear off their desks at lunchtime when a contractor or
    consultant-looking person walks off with them."
    Bittinger says companies are being told to spend 90 per cent of their
    security training budget on three groups - system administrators,
    software developers and senior management. For senior management, it's
    not the technical know-how that's needed but a knowledge of basic IT
    security principles to help them make wise decisions. But
    unfortunately, this formula only leaves 10 per cent of security
    training for everyone else.
    "Some organisations are using e-learning to keep costs down,"  
    Bittinger says.
    "One of the largest universities in Australia was telling me they had
    tremendous success identifying a security focal-point person in every
    department. They meet once a month, so they are not trying to train
    thousands of people."
    Whatever the method, people need to be trained to recognise suspicious
    Then they need to be motivated to get involved.
    "Often people say 'Yeah, I did see a guy over there by John's desk,
    but I thought there must have been something wrong with his computer.'
    They need to know what to do. Does the secretary want to confront him
    or should she call someone?"
    For small businesses, social hacking is less of a problem -everyone
    knows everyone's movements and activities - but because small to
    medium-sized business do not have designated IT staff they are often
    more vulnerable to the usual forms of hacking, such as remote
    penetration through the internet.
    For Natasha David, IDC's research manager of infrastructure and
    training, the enemy of small business is business as usual. "When you
    look at small business training for internet security, there is no
    training," she says. "It's not because they don't want to - they have
    no time. They are more likely to be sent away on industry-specific
    David says that even in big companies, the IT security training budget
    is a grim-looking affair. And since good security involves
    implementing and sticking with prudent management procedures, as well
    as technologies, that's not good.
    "They don't have the budget," she says. "So it's falling more to the
    IT vendor to provide the training with the licence. In order to make
    the sale, they are saying 'OK, we'll provide training as well'."
    But the best training, which probably won't be vendor-specific, is all
    for naught unless the proper motivation is maintained. Both
    researchers say incentives need to be built in to keep people alert.
    "In case the slammer worm comes around, you need a fire-alarm-like
    training drill," David says.
    "In a fire-like situation, you have another set of rules that take
    over the normal operating environment. You need incentives and
    disincentives to make people aware of it."
    Of even more concern is data theft. Even small businesses have
    sensitive information to protect.
    Natasha David says a doctor's surgery is the prime example of where
    privacy is paramount, but the motivation for busy owner-doctors to
    train for IT security is poor.
    "The medical association might say, 'This is what you need to do to
    secure your private information', but will he have his licence taken
    away from him if he does not? I don't think so. At the end of the day,
    there just isn't the incentive for doctors to get trained unless they
    themselves become the victim a privacy breach."
    Human nature is the biggest IT security problem.
    It's human nature to keep ignoring a risk, especially one you can't
    even see - until it actually hurts you.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Sep 03 2003 - 06:26:02 PDT