Social Engineering - a way past even the best physical security
(second in this series on FUD and securing the computer)
Social engineering is a polite way of saying "screwing with people's minds" - taking advantage of their preconceptions, biases, soft spots, basic human decency and humanity.
The biggest security hole in today's business and home Internet and computing environment is the "nut behind the wheel" - the person at the keyboard. It doesn't matter how secure the network or the computer is, the operator (that's you, your employees, and your family if they share your computer) is the key weakness.
It can be something as simple as the subject of an e-mail with a malware payload being "Here's the file you asked for" - even though you didn't ask for it. It can be as complex as a McGuiver episode where the hero masquerades as a telephone repairman and asks your receptionist for the key to the computer room "so I can trace the problem your IS manager reported."
The point is that everyone who deals with a computer must take responsibility for the security of it and the rest of the ones connected to it in the local network. They can't rely on any software or hardware to provide absolute protection since this is simply not possible. The problem is that many (most) of the vendors of software and hardware security systems market their wares as if they (and only they) will be absolute protection against all threats; and they certainly are not!
Some of the most embarrassing exploits of otherwise "absolutely" hardened systems have been via the weaknesses of the flesh; sometimes all too literally. Even before the advent of wide spread computing, the security of installations, armies and governments was compromised by the likes of "Madeleine" (a British spy) and "Cynthia" (an American) both of whom used their natural assets in the course of their careers as spies against the Nazis.
All it takes is a failure to follow what should be a hard and fast rule in your organization; identify and monitor all people who come anywhere near your systems. This policy should include guidelines such as establishing that a repair person was expected, who called, who was dispatched, and what exactly they are allowed/supposed to be doing.
| The military have it right: I watched Danny Devito in "Renaissance Man" last night. The guard at the gate when Danny's character first enters the facility where he will be teaching continues to answer Danny's questions on how to get to the building he is to report to by stating "First, go to building XXX and get a pass" - no matter how many times Danny asks for simple directions to the eventual destination, the answer is always the same! Get a pass! |
Another hard and fast rule is never leave a public area alone when there are valuables in it. I recall an instance where two brand new laptop computers (worth at that time about $7,000 each) disappeared from the area of the front desk of a company. The reception area was not properly manned because the office was in the process of being built. The fact that the office was in a state of flux is not an excuse! Someone came up the elevator, walked around a corner, picked up two boxes sitting beside an otherwise unmanned front desk, and walked out; but that is only a physical loss. The potential for a data loss or system compromise is even greater since the system of computers and the data on them in even a small business can be worth many times the price of a single laptop, or even two! All it takes is someone walking up to a networked computer left carelessly on, and running a program from the web - probably already to go from their own or another compromised computer. The result is a local computer compromised with almost any kind of malware, from a worm to a keystroke logger. Once done, this is very hard to undo and can be almost impossible to detect.
While the necessary vigilance is something that all employees (and family) must understand and practice, this doesn't mean you (or they) need to be socially abrasive towards strangers. What it does mean is that strangers who don't have reasonable reason to be in your private areas, or who don't have excellent and reasonable identification should not be trusted anywhere near your valuable assets; and you should consider a logged-in computer system as a valuable asset!
This even has application outside of computers. I don't know about other cities, but here in the Vancouver area we have had our share of what are commonly called "home invasions", where a seemingly innocent individual talks their way into a home. They then abuse the owner's trust by either assaulting them or unobtrusively robbing them.
Just as good door locks are no use if the door is left open, or opened to strangers not properly vetted, so to are computer login and password systems that are unused when the system is left unattended while logged in. In previous times, using Unix and other host-terminal based systems the administrator could easily enforce an inactivity policy where the screen was locked if the keyboard was not touched for some period (typically about 5-15 minutes). Today's desktop systems can do the same thing, but the settings are typically under control of the individual user. This puts the onus on the user to set some reasonable timeout period which directly impacts how secure the user's and subsequently the whole network's systems are. Only through major machinations involving setting and locking user profiles can an administrator or manager impose the policy absolutely.
The next article in this FUD series will deal with some of the cultural issues of security - keeping the kids from learning too much too fast, and keeping grandma from being assaulted by today's in-your-face vendors of all things XXX.
What's Related