Welcome Guest ( Log In | Register )


 
Reply to this topicStart new topic
> The Greatest Security Vulnerability: You
NickTheGreek
post 18 Oct 2011, 10:16 PM
Post #1


Administrator
Group Icon

Group: Admin
Posts: 110735
Joined: 3-June 05
From: Athens, Greece
Member No.: 1
Zodiac Sign: I'm a leo!
Gender: I'm a m!





Summary: You are the weakest security link but you can be fixed. The fix is simple to say out loud but not so simple to do.



Believe it or not, the greatest threat to your personal or corporate computing environment is you. You put your personal and collective corporate security at risk every day by just being you. It¢s not a particular personality flaw with you as an individual but rather it is your innate human response to other humans. You want to be open, helpful and kind but those attributes are also your security Achilles¢ heel. The quote, “A little kindness goes a long way,” is no less true when speaking of computer security. That wee bit of kindness that you show a stranger could put your personal and corporate security at significant risk and could result in very high remedial costs.

The Background

Attackers who want into your network or who want your data will take the path of least resistance to attain their goals. If your systems aren¢t patched, they¢ll attack and compromise them. If your network security lacks the proper defenses, they¢ll trot through that open gate with ease. If your physical security is a joke, the joke will soon be on you, when an attacker can make his way into your offices to drop a USB drive, to grab information from a desk or to have a ¡look see¢ on an unlocked computer. Finally, if your people aren¢t prepared for social engineering attacks, all your other defenses are useless.

The Problem

From a corporate standpoint, your network security team and system administrators can maintain patches, apply updates and install security software but they can¢t fix you. There¢s no patch available for your vulnerabilities. Social engineering is the most effective attack mode on any computer system or network. It is 100 percent effective. It also leaves the fewest traces and always involves someone on the inside doing something or saying something that gives an attacker the surface he needs to gain access to systems, data and information.

The Solution


The solution, simply put, is education.

An expanded version of my terse answer can be found in Christopher Hadnagy¢s, Social Engineering: The Art of Human Hacking, final chapter.

“Security through education cannot be a simple catch phrase; it has to become a mission statement. Until companies and the people who make up those companies take security personally and seriously, this problem won¢t be fixed completely. In the meantime, those who were serious enough to read this book and to have a desire to peer into the dark corners of society can enhance their skills enough to keep their families, selves, and companies a little more secure.

Until companies begin to realize their vulnerability to social engineering attacks, individuals will have to educate themselves about attack methods and stay vigilant, as well as spread the word to others. Only then do we have hope of staying if not one step ahead of an attack, then not too far behind.”

One of the biggest hurdles to overcome is your own self-conceit in thinking that it can¢t happen to you. When I interviewed Christopher, I was shocked by the percentage of successful social engineering attacks he¢s performed over the years. It¢s very disheartening to know that he has a 100 percent success rate at social engineering attacks. That number should alarm you as well.

How do we protect ourselves, when it seems that the situation is hopeless?

It isn¢t hopeless but social engineering attacks, as successful as they are, can be made so difficult that an attacker will seek easier prey elsewhere. Your job is to make the attacker¢s job very difficult. Learn the paths that your enemy will take to attack you and lower his attack surface.

How can you do this?

It requires a high-level of constant vigilance and perhaps scripted responses to “harmless” questions from strangers. It also requires 100 percent compliance from every employee, including maintenance and housekeeping staff. Education is the key to prevention but you must also have a disaster recovery plan. Knowing how successful social engineering is, you have to construct a recovery plan should you fall victim to an attack.

Unfortunately, good information with which to educate yourself is scarce. Much of what you¢ll find is generic information, misleading information, incorrect information or information that will make you more vulnerable to an attack.

Have you ever been the victim of a social engineering attack? What was the outcome? Talk back and let me know.


--------------------

c:\ When the going gets tough, the tough get going ...
Go to the top of the page
 
Bookmark this: Post to Del.icio.usPost to DiggPost to FacebookPost to GooglePost to SlashdotPost to StumbleUponPost to TechnoratiPost to YahooMyWeb
+Quote Post

Reply to this topicStart new topic
2 User(s) are reading this topic (2 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 19th March 2024 - 10:54 AM
Skin and Graphics by Dan Ellis and Anubis. Hosting by Forums & More © 2005-2011.
InvisionGames - Your #1 Arcade Games Repository | AllSigs - Signatures for all | Rock Band + Guitar Hero = RockHero ! | The Remoters - Remote Assistance | FileMiners - You ask, We find