Social engineering holds clue to security leaks: expert

[InfoSec News <isn () c4i org>]

http://www.itbusiness.ca/index.asp?theaction=61&lid=1&sid=54350

by Geoffrey Downey 
12/9/2003

FREDERICTON -- The Maritimes are behind the times when is comes to
information security governance, according to an expert, but many also
fall prey to trickery of social engineering.

Mark Bernard, CEO of Hartland, N.B. headquartered Apollo Computer
Consultants, said this is especially true when it comes to the
Personal Information Protection and Electronic Documents Act, which
comes into full effect next month.

"I think private industry has been very slow to come around," Bernard
said. "I talked to the chief registrar of the medical association
about what they're doing to help the doctors adapt and they basically
said, "We're sitting back to see what happens."

"It's slow coming. The awareness here in the Maritimes is very low.  
We're going to need a couple of big (court) cases before (things get
better)."

Bernard was one of many presenters Tuesday at a security and privacy
workshop organized by the Atlantic Chapter of High Tech Criminal
Investigation Association, an international association of public and
private sector security professionals based in Washington, D.C.

All the legislation and security technology in the world, however,
cannot bolster the weakest chain in the link: us. Roy Nicholl,
co-founder of Fredericton-based Surety Partners , said given enough
time someone within an organization is bound to unknowingly surrender
information needed to breach enterprise security. The process is known
as social engineering -- establishing trust with a hidden agenda.

"It's the hardest form of attack on an organization to defend against.  
You can't buy firewalls to protect against it. You can't buy hardware
systems to protect against it," Nicholl said. "Why would you try to
hack into someone’s security system when you can get them to open the
door and let you in?"

The crux of the problem is that human beings are hardwired to trust
others, Nicholl said -- we are conditioned to be helpful and we have a
fear of negative repercussions. A popular tactic is to get the person
with the information excited -- "I need this password or I'll get
fired," someone might say, or "If I don't get this information, you'll
get fired" -- so they won’t think as clearly, he said.

"This serves as a distraction which interferes with your ability to
think things through rationally," Nicholl said.

Social engineers will also capitalize on our submissiveness to
authority. Nicholl said this is why someone will pretend to be the
vice-president or acting on behalf of an executive.

"The person purporting to be in a position of authority doesn't even
have to be present," Nicholl said.

The best defence against these attacks is ensuring policies and
practices are in place, Nicholl said, adding that employees need to be
regularly educated and reminded about how they should conduct
themselves. They also need to be able to recognise when someone is
using social engineering tactics against them, he said.

Catching and convicting someone for committing an electronic crime is
very hard, according to crown prosecutor Cameron Gunn. While the
information gap between segments of society have been much publicized,
there is also a gap between criminals and law enforcement.

Gunn said there are a number of factors contributing to the problem:  
the breadth of crimes, a lack of boundaries and a general lack of
understanding. This is compounded, he added, by the plummeting cost of
technology and cheap or free Internet access. Other factors include
the notion of anonymity, and the fact that criminals are aware of how
difficult some technology-related laws are to enforce, assuming there
are any.

We've reached a crossroads, Gunn said, when we must chose between
fighting and surrendering. Gunn said he'd like to see us fight, but
companies have to lead the charge and begin reporting security
breaches and other crimes. This is essential so everyone can get
better at their jobs, he said.

"You need to teach me a lot about computers; I need to teach you a lot
about criminals," Gunn said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.