Chapter #10 deals a lot with security, different types of penetration, encryption and so on, but I think it misses one fundamental part of the equation. And that is that people are the weakest link in that particular system. What exactly do I mean:
1. Users continuously disregard IT recommendations for better password, they often use birthday+name of child/spouse or something similar, making it easy for hackers.
2. Not following security protocols. While I was working as system administrator, we had to support a media business, which had a Linux server with all necessary components, plus an ORACLE database for their specific needs.
The server, the main PBX switch, the routers were all in the communication room, which is supposed to have its own cooling system and should be locked all the time. The specific problem arose when someone unlocked the door, stopped the cooling cause according to them it was too loud for the neighbours, but in the end of the day left the door open. Later the same night while I was working remotely on the server, my connection was dropped around 1AM. I thought it is a power problem, and even though until 3AM the server was not back on, I decided to go to bed, thinking I will just have an early morning when the power was on.
Imagine my surprise when I get a phone call in the morning that this was not a power problem, but a burglary. They cut the phone lines, the cable lines and went in the office. Now, that particular firm had very good database, worth several milion, and because the door to the server was left open - the thiefs could just pick up the server and leave. Thanks to their own stupidity, and not being from the competition, they only took the office safe box, that had inside no more than 3000$, leaving the server and the important information intact. But because of several people in the office this story could have a bad ending.
Another example is employee stealing - the managers in another business did not contact IT to say one particular employee is leaving and that his access should be terminated, resulting in his ability to download an entire HR database and going with it to the competition.
One of the last examples is the so called "Social engineering" - which is is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques.All social engineering techniques are based on specific attributes of human decision-making known as cognitive biases.These biases, sometimes called "bugs in the human hardware," are exploited in various combinations to create attack techniques like:
Pretexting
Pretexting is the act of creating and using an invented scenario (the pretext) to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances.
Phishing
Phishing is a technique of fraudulently obtaining private information. Also there is a phone phishing, extracting information from an employee through a phone call.
Quid pro quo
Quid pro quo means something for something:
An attacker calls random numbers at a company claiming to be calling back from technical support. Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them.
There are many other techniques, and a lot of them are described in Kevin Mitnick's book "The art of deception". And even if you think that people should be aware and trained not to fall victims to that kind of social engineering, actually it is quite often.
No comments:
Post a Comment