http://www.itbusiness.ca/index.asp?theaction=61&lid=1&sid=54350 by Geoffrey Downey 12/9/2003 FREDERICTON -- The Maritimes are behind the times when is comes to information security governance, according to an expert, but many also fall prey to trickery of social engineering. Mark Bernard, CEO of Hartland, N.B. headquartered Apollo Computer Consultants, said this is especially true when it comes to the Personal Information Protection and Electronic Documents Act, which comes into full effect next month. "I think private industry has been very slow to come around," Bernard said. "I talked to the chief registrar of the medical association about what they're doing to help the doctors adapt and they basically said, "We're sitting back to see what happens." "It's slow coming. The awareness here in the Maritimes is very low. We're going to need a couple of big (court) cases before (things get better)." Bernard was one of many presenters Tuesday at a security and privacy workshop organized by the Atlantic Chapter of High Tech Criminal Investigation Association, an international association of public and private sector security professionals based in Washington, D.C. All the legislation and security technology in the world, however, cannot bolster the weakest chain in the link: us. Roy Nicholl, co-founder of Fredericton-based Surety Partners , said given enough time someone within an organization is bound to unknowingly surrender information needed to breach enterprise security. The process is known as social engineering -- establishing trust with a hidden agenda. "It's the hardest form of attack on an organization to defend against. You can't buy firewalls to protect against it. You can't buy hardware systems to protect against it," Nicholl said. "Why would you try to hack into someone’s security system when you can get them to open the door and let you in?" The crux of the problem is that human beings are hardwired to trust others, Nicholl said -- we are conditioned to be helpful and we have a fear of negative repercussions. A popular tactic is to get the person with the information excited -- "I need this password or I'll get fired," someone might say, or "If I don't get this information, you'll get fired" -- so they won’t think as clearly, he said. "This serves as a distraction which interferes with your ability to think things through rationally," Nicholl said. Social engineers will also capitalize on our submissiveness to authority. Nicholl said this is why someone will pretend to be the vice-president or acting on behalf of an executive. "The person purporting to be in a position of authority doesn't even have to be present," Nicholl said. The best defence against these attacks is ensuring policies and practices are in place, Nicholl said, adding that employees need to be regularly educated and reminded about how they should conduct themselves. They also need to be able to recognise when someone is using social engineering tactics against them, he said. Catching and convicting someone for committing an electronic crime is very hard, according to crown prosecutor Cameron Gunn. While the information gap between segments of society have been much publicized, there is also a gap between criminals and law enforcement. Gunn said there are a number of factors contributing to the problem: the breadth of crimes, a lack of boundaries and a general lack of understanding. This is compounded, he added, by the plummeting cost of technology and cheap or free Internet access. Other factors include the notion of anonymity, and the fact that criminals are aware of how difficult some technology-related laws are to enforce, assuming there are any. We've reached a crossroads, Gunn said, when we must chose between fighting and surrendering. Gunn said he'd like to see us fight, but companies have to lead the charge and begin reporting security breaches and other crimes. This is essential so everyone can get better at their jobs, he said. "You need to teach me a lot about computers; I need to teach you a lot about criminals," Gunn said. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Dec 11 2003 - 03:47:28 PST