Modernizing Authentication — What It Takes to Transform Secure Access
A pretty -- not beautiful -- girl comes into the lobby of a local companyand glances around. She walks up to the receptionist and explains she hasa meeting with the Information Technology director and is running late.She says she is very embarrassed and would the receptionist tell her theconference room number and she'll just sneak into the meeting. Feelingsorry for the young lady, the receptionist tells her the main conferenceroom is on the third floor and lets her into that part of the building.
Once in the elevator, the woman gets off on the fourth floor -- not thethird. She wanders the halls. A gentleman stops her because she doesnt'have a badge. But she smiles sweetly, asks him about his day and prettysoon they are chatting about this and that. He forgets why he stopped herand goes back to his office.
She continues down the hall. This time she sees someone going into thecomputer lab and he allows her to follow him through the door. She hasone of those smiles that lights up her entire face, and it doesn't gounnoticed. She explains that she is a student at the local university andshe's going to be a summer intern in the IT department... part of herinternship is to see how the computer lab works.https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i She spends the next hour looking around, chatting with the networkadministrators and lighting up a usually boring environment.
The girl leaves the building, waving good-bye to the receptionist on herway out and thanking her again.
After all, she should thank her and all the others she spoke to duringher visit.
The woman leaves with Post-it notes that had been stuck onto monitorswith passwords and user identifications (usually 'admin'). She has awealth of knowledge on how the network is set-up, what kinds ofprotection mechanisms are in place and even how to get around theprotection -- thanks to a young techie who was more than pleased to showher how 'smart' he was.
She now owns their network, their industry secrets and theirsystems.
This is a classic case of social engineering.
According to sbc.webopedia, social engineering is defined as: ''In therealm of computers, the act of obtaining or attempting to obtainotherwise secure data by conning an individual into revealing secureinformation. Social engineering is successful because its victimsinnately want to trust other people and are naturally helpful. Thevictims of social engineering are tricked into releasing information thatthey do not realize will be used to attack a computer network.''
Whatitis.com states: ''In computer security, social engineering is a termthat describes a non-technical kind of intrusion that relies heavily onhuman interaction and often involves tricking other people to breaknormal security procedures. A social engineer runs what used to be calleda 'con game'.''
Either definition makes it clear that social engineering involves humaninterraction. That is the major factor that makes protection againstsocial engineering difficult. All the firewalls, and identification andauthentication mechanisms are ineffective against a seasoned socialengineer.
So, how do you protect your network from these types of people?
The best protection against social engineering tactic is a well-trainedemployee, who is aware of this kind of scam. The employee is the targetof social engineering. Employees need to be made aware that even thoughthey need to be helpful on the job, they need to be cautious andinquisitive.
Security training that reinforces the requirement to protect useridentifications, passwords, and other such information is a validprotection against social engineering. Employees also need to be aware oftheir surroundings to ensure that people without proper identificationare confronted and escorted to security personnel. They also need to beaware of unauthorized people trying to follow them into secured areas.
This awareness training isn't just for computer users and networkadministrators. It's for every employee -- the receptionist, secretaries,file clerks, etc. Training should be a yearly event.
Anything that looks suspicious should be reported. Be suspicious of thatperson you have never seen before, or someone asking questions that raisea little red flag in the back of your head. You never know when it's aperson on a mission to obtain information that can, and will, be usedagainst you.
The next time a friendly individual approaches you with a request forassistance in getting information that you know should be protected, beprepared. Check it out before you give out any information. Beware thesocial engineer!