Social engineering the human side of hacking

1、social engineering: the human side of hackingby sharon gaudin may 10, 2002: companies spend millions of dollars on firewalls, authentication processes and network monitoring software, but few bother to train employees how to avoid being duped into giving away critical information. a woman calls a co

2、mpany help desk and says shes forgotten her password. in a panic, she adds that if she misses the deadline on a big advertising project her boss might even fire her. the help desk worker feels sorry for her and quickly resets the password - unwittingly giving a hacker clear entrance into the corpora

3、te network. meanwhile, a man is in back of the building loading the companys paper recycling bins into the back of a truck. inside the bins are lists of employee titles and phone numbers, marketing plans and the latest company financials. all free for the taking. hackers, and possibly even corporate

4、 competitors, are breeching companies network security every day. the latest survey by the computer security institute and the fbi shows that 90% of the 503 companies contacted reported break-ins within the last year. what may come as a surprise, according to industry analysts and security experts,

5、is that not every hacker is sitting alone with his computer hacking his way into a corporate vpn or running a program to crack executives passwords. sometimes all they have to do is call up and ask. how to thwart the social engineers: security experts from both government and the private sector offe

6、r suggestions to protect your company from hackers using social engineering techniques. the feds top hacker speaks: keith rhodes, chief technologist with the u.s. general accounting office, discusses what companies should be doing to protect themselves, what risks are looming ahead and what exciting

7、 security technology is coming down the road. theres always the technical way to break into a network but sometimes its easier to go through the people in the company. you just fool them into giving up their own security, says keith a. rhodes, chief technologist at the u.s. general accounting office

8、, which has a congressional mandate to test the network security at 24 different government agencies and departments. companies train their people to be helpful, but they rarely train them to be part of the security process. we use the social connection between people, their desire to be helpful. we

9、 call it social engineering. it works every time, rhodes says, adding that he performs 10 penetration tests a year on agencies such as the irs and the department of agriculture. very few companies are worried about this. every one of them should be. playing off trust social engineering is the human

10、side of breaking into a corporate network. companies with authentication processes, firewalls, vpns and network monitoring software are still wide open to an attack if an employee unwittingly gives away key information in an email, by answering questions over the phone with someone they dont know or

11、 even by talking about a project with coworkers at a local pub after hours. incidents of social engineering are quite high, we believe, says paul robertson, director of risk assessment at herndon, va.-based trusecure corp. a significant portion of the time, people dont even know its happened to them

12、. and with the people who are good at it, their victims dont even know theyve been scammed. robertson says for companies with great security technology in place, its almost always possible to penetrate them using social engineering simply because it preys on the human impulse to be kind and helpful,

13、 and because it executives arent training employees to wary of it. people have been conditioned to expect certain things, says robertson. if you dress in brown and stack a whole bunch of boxes in a cart, people will hold the door open for you because they think youre the delivery guy.sometimes you g

14、rab a pack of cigarettes and stand in the smoking area listening to their conversations. then you just follow them right into the building. guard the perimeter eddie rabinovitch, vice president of global networks and infrastructure operations at stamford, ct.-based cervalis llc, says he is definitel

15、y aware and on alert for various types of security attacks - technical or not. cervalis is a managed hosting and it outsourcing company. we continuously have training about security in general and social engineering in particular, says rabinovitch. people are out there looking for information. theyr

16、e always looking for new ways to get at that information. in many cases, you can deal with it with tools, but it always comes down to procedures and your people. rabinovitch says he deals with social engineering by focusing a lot of training on his people on the perimeter - security guards, receptio

17、nists and help desk workers. for instance, he says security guards are trained to check on visitors if they go out in the smoking area to make sure theyre not handing their admittance badge over to someone else. and he adds that if someone shows up in a utility workers uniform, his visit is confirme

18、d before he is allowed into the building to do any work. rhodes, who has focused on computer security, privacy and e-commerce in his 11 years at the gao, says a lot of companies unwittingly put sensitive information up for grabs. some companies list employees by title and give their phone number and email address on the corporate web site. that allows a hacker to call an office worker and say sally jones in the denver accounting office wants you to change my user id. or rhodes says a company may put ads