[ISN] Social engineering holds clue to security leaks: expert

From: InfoSec News (isn@private)
Date: Thu Dec 11 2003 - 01:08:38 PST

  • Next message: InfoSec News: "[ISN] Windows & .NET Magazine Security UPDATE--December 10, 2003"

    http://www.itbusiness.ca/index.asp?theaction=61&lid=1&sid=54350
    
    by Geoffrey Downey 
    12/9/2003
    
    FREDERICTON -- The Maritimes are behind the times when is comes to
    information security governance, according to an expert, but many also
    fall prey to trickery of social engineering.
    
    Mark Bernard, CEO of Hartland, N.B. headquartered Apollo Computer
    Consultants, said this is especially true when it comes to the
    Personal Information Protection and Electronic Documents Act, which
    comes into full effect next month.
    
    "I think private industry has been very slow to come around," Bernard
    said. "I talked to the chief registrar of the medical association
    about what they're doing to help the doctors adapt and they basically
    said, "We're sitting back to see what happens."
    
    "It's slow coming. The awareness here in the Maritimes is very low.  
    We're going to need a couple of big (court) cases before (things get
    better)."
    
    Bernard was one of many presenters Tuesday at a security and privacy
    workshop organized by the Atlantic Chapter of High Tech Criminal
    Investigation Association, an international association of public and
    private sector security professionals based in Washington, D.C.
    
    All the legislation and security technology in the world, however,
    cannot bolster the weakest chain in the link: us. Roy Nicholl,
    co-founder of Fredericton-based Surety Partners , said given enough
    time someone within an organization is bound to unknowingly surrender
    information needed to breach enterprise security. The process is known
    as social engineering -- establishing trust with a hidden agenda.
    
    "It's the hardest form of attack on an organization to defend against.  
    You can't buy firewalls to protect against it. You can't buy hardware
    systems to protect against it," Nicholl said. "Why would you try to
    hack into someone’s security system when you can get them to open the
    door and let you in?"
    
    The crux of the problem is that human beings are hardwired to trust
    others, Nicholl said -- we are conditioned to be helpful and we have a
    fear of negative repercussions. A popular tactic is to get the person
    with the information excited -- "I need this password or I'll get
    fired," someone might say, or "If I don't get this information, you'll
    get fired" -- so they won’t think as clearly, he said.
    
    "This serves as a distraction which interferes with your ability to
    think things through rationally," Nicholl said.
    
    Social engineers will also capitalize on our submissiveness to
    authority. Nicholl said this is why someone will pretend to be the
    vice-president or acting on behalf of an executive.
    
    "The person purporting to be in a position of authority doesn't even
    have to be present," Nicholl said.
    
    The best defence against these attacks is ensuring policies and
    practices are in place, Nicholl said, adding that employees need to be
    regularly educated and reminded about how they should conduct
    themselves. They also need to be able to recognise when someone is
    using social engineering tactics against them, he said.
    
    Catching and convicting someone for committing an electronic crime is
    very hard, according to crown prosecutor Cameron Gunn. While the
    information gap between segments of society have been much publicized,
    there is also a gap between criminals and law enforcement.
    
    Gunn said there are a number of factors contributing to the problem:  
    the breadth of crimes, a lack of boundaries and a general lack of
    understanding. This is compounded, he added, by the plummeting cost of
    technology and cheap or free Internet access. Other factors include
    the notion of anonymity, and the fact that criminals are aware of how
    difficult some technology-related laws are to enforce, assuming there
    are any.
    
    We've reached a crossroads, Gunn said, when we must chose between
    fighting and surrendering. Gunn said he'd like to see us fight, but
    companies have to lead the charge and begin reporting security
    breaches and other crimes. This is essential so everyone can get
    better at their jobs, he said.
    
    "You need to teach me a lot about computers; I need to teach you a lot
    about criminals," Gunn said.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Dec 11 2003 - 03:47:28 PST