I had an interesting day last Friday. I spent the day at a training course entitled "Cyber Terrorism". In truth the title was something of a misnomer, but the course was well worth the time. Not because I have become some sort of security guru or an infamous hacker overnight, but simply because in an industry filled with hype and oversell, it is occasionally interesting to get some real views from real people on the ground.
A good example is social engineering. It is something most security companies will mention by default when presenting their latest software solutions, but is often marginalised and trivialised. Listening to both presenters and attendees at the course, it became obvious to me that social engineering is one of the most important, if not the most important issue, when looking at IT security.
Human error is the weakest link in the firewall.
Alastair Otter, journalist, ITWeb
Social engineering is very much what it sounds like. A would-be attacker phones up your reception desk pretending to be an IT service agent and asks for the administrator password for your network, ostensibly to fix something, and the receptionist gives it to him. Or when a hacker starts to befriend a disgruntled employee with a view to extracting network details. Or even just walks through the front door, pretends to be someone with a legitimate reason to be there, and plugs some sort of sniffer box onto your network and walks out.
It`s not as glamorous as in the "hacker" movies but possibly more effective than sitting in front of a glowing screen in a darkened room for months on end trying to break the simplest of passwords.
One of the attendees at the event, a SAPS representative, had a number of interesting examples of times that he and his colleagues had by-passed security measures through social engineering. The presenter, SensePost`s Charl van der Walt, had equally disturbing stories. One in particular stood out. While testing a client`s network they calmly walked in the front door, announced they were there to "install a network sniffer" and were ushered through the main office. With the box clipped under a desk and plugged into the network, they were able to dial in later from home and calmly browse the network.
Social engineering doesn`t take a lot of skill and yet can be dangerously effective. A similar and related topic raised was the physical security of network devices. Imagine that you spend every last cent of your budget on intrusion detection systems, firewalls and anti-virus software, and someone comes along, plugs a laptop into a spare network point, or picks up a wireless signal outside your building. They are now inside your network and can do just about anything they like.
I`m not knocking intrusion systems, firewalls and the like. They are still the cornerstones of good security and there are some excellent products out there. But bear in mind that no matter how much you spend on software and hardware, it is worthless if a would-be attacker is allowed to walk through the front door and into your security zone. Or if they have the root password, thanks to your receptionist.
Share