Social Engineering, sometimes referred to as 'human hacking', is responsible for some of the most damaging attacks ever recorded. Even aspects of Stuxnet were attributed to targeted social engineering operations. Social engineering is dangerous because it revolves around the one factor in an organization that can't be predictably incorporated into a security program.
Or can it?
Just in case I've lost you, social engineering is the act of persuading a user to divulge information that may or may not be in their best interest. For example, I could call, email, or simply approach someone in person and claim to be an IT professional. I could tell them that their workstation has been infected, and that they'll likely get in trouble because this has occurred as a result of their 'abuse' of company network resources. People might start thinking, 'oh no, I must have clicked on something on Facebook...', but will rejoice when I inform them that I can fix it before anyone has to find out. All they have to do is give me the keys.
Most professionals and attackers will tell you that the easiest way to obtain someone's credentials is to ask for them. If you ask the right way, you'll find that statement is surprisingly true.
I've recently become more interested and involved in social engineering assessments at the office. Partly because I genuinely find it interesting, and also because we don't seem to have a resident expert. We have a guy that's really smart on networking and program management, another guy that's a brilliant coder and pentester, but no one that seems to want to own the social aspect. There's a lot to be said about finding a niche and becoming part of the team, at least enough to motivate growth.
So back to my original question; can the human factor be made predictable enough to secure an organization? I think yes, but probably not the way you think.
Truth; just assume someone in your organization is going to be victim to an attack. Don't 'if' about it and train like you're going to raise user awareness to a level that is immune to an attacker's charm and wit. Someone is going to screw up and give someone bad the keys to the castle.
However, you can put other safeguards in place to detect, contain and remediate the effects of a compromised user. In my opinion, the focus on awareness training should be less significant than the focus on mitigation efforts. As I've said before, you put in sprinklers and do fire drills so that 'when' the fire occurs, you can react. Information security should be no different.
No comments:
Post a Comment