Welcome Guest ( Log In | Register )

Reply to this topicStart new topic
> The Greatest Security Vulnerability: You
post 18 Oct 2011, 10:16 PM
Post #1

Group Icon

Group: Admin
Posts: 89654
Joined: 3-June 05
From: Athens, Greece
Member No.: 1
Zodiac Sign: I'm a leo!
Gender: I'm a m!

Summary: You are the weakest security link but you can be fixed. The fix is simple to say out loud but not so simple to do.

Believe it or not, the greatest threat to your personal or corporate computing environment is you. You put your personal and collective corporate security at risk every day by just being you. ItĘs not a particular personality flaw with you as an individual but rather it is your innate human response to other humans. You want to be open, helpful and kind but those attributes are also your security AchillesĘ heel. The quote, “A little kindness goes a long way,” is no less true when speaking of computer security. That wee bit of kindness that you show a stranger could put your personal and corporate security at significant risk and could result in very high remedial costs.

The Background

Attackers who want into your network or who want your data will take the path of least resistance to attain their goals. If your systems arenĘt patched, theyĘll attack and compromise them. If your network security lacks the proper defenses, theyĘll trot through that open gate with ease. If your physical security is a joke, the joke will soon be on you, when an attacker can make his way into your offices to drop a USB drive, to grab information from a desk or to have a °look seeĘ on an unlocked computer. Finally, if your people arenĘt prepared for social engineering attacks, all your other defenses are useless.

The Problem

From a corporate standpoint, your network security team and system administrators can maintain patches, apply updates and install security software but they canĘt fix you. ThereĘs no patch available for your vulnerabilities. Social engineering is the most effective attack mode on any computer system or network. It is 100 percent effective. It also leaves the fewest traces and always involves someone on the inside doing something or saying something that gives an attacker the surface he needs to gain access to systems, data and information.

The Solution

The solution, simply put, is education.

An expanded version of my terse answer can be found in Christopher HadnagyĘs, Social Engineering: The Art of Human Hacking, final chapter.

“Security through education cannot be a simple catch phrase; it has to become a mission statement. Until companies and the people who make up those companies take security personally and seriously, this problem wonĘt be fixed completely. In the meantime, those who were serious enough to read this book and to have a desire to peer into the dark corners of society can enhance their skills enough to keep their families, selves, and companies a little more secure.

Until companies begin to realize their vulnerability to social engineering attacks, individuals will have to educate themselves about attack methods and stay vigilant, as well as spread the word to others. Only then do we have hope of staying if not one step ahead of an attack, then not too far behind.”

One of the biggest hurdles to overcome is your own self-conceit in thinking that it canĘt happen to you. When I interviewed Christopher, I was shocked by the percentage of successful social engineering attacks heĘs performed over the years. ItĘs very disheartening to know that he has a 100 percent success rate at social engineering attacks. That number should alarm you as well.

How do we protect ourselves, when it seems that the situation is hopeless?

It isnĘt hopeless but social engineering attacks, as successful as they are, can be made so difficult that an attacker will seek easier prey elsewhere. Your job is to make the attackerĘs job very difficult. Learn the paths that your enemy will take to attack you and lower his attack surface.

How can you do this?

It requires a high-level of constant vigilance and perhaps scripted responses to “harmless” questions from strangers. It also requires 100 percent compliance from every employee, including maintenance and housekeeping staff. Education is the key to prevention but you must also have a disaster recovery plan. Knowing how successful social engineering is, you have to construct a recovery plan should you fall victim to an attack.

Unfortunately, good information with which to educate yourself is scarce. Much of what youĘll find is generic information, misleading information, incorrect information or information that will make you more vulnerable to an attack.

Have you ever been the victim of a social engineering attack? What was the outcome? Talk back and let me know.


c:\ When the going gets tough, the tough get going ...
Go to the top of the page
Bookmark this: Post to Del.icio.usPost to DiggPost to FacebookPost to GooglePost to SlashdotPost to StumbleUponPost to TechnoratiPost to YahooMyWeb
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:


RSS Lo-Fi Version Time is now: 25th May 2020 - 04:24 AM
Skin and Graphics by Dan Ellis and Anubis. Hosting by Forums & More © 2005-2011.
InvisionGames - Your #1 Arcade Games Repository | AllSigs - Signatures for all | Rock Band + Guitar Hero = RockHero ! | The Remoters - Remote Assistance | FileMiners - You ask, We find