Social engineering: employees' loose lips can sink your company network. (Tech Issues).In the movie, Jumpin' Jack Flash, Whoopi Goldberg's character dons a blue sequined se·quin n. 1. A small shiny ornamental disk, often sewn on cloth; a spangle. 2. A gold coin of the Venetian Republic. Also called zecchino. tr.v. formal gown and high heels high heels high npl → talons hauts, hauts talons high heels high npl → hochhackige Schuhe pl , charms her way into the computer room at the British Consulate, and punches up an exit code for a spy stranded in the former Soviet Union. That's "social engineering" in high style. It's less stylish when someone walks away with your customer database, prints checks on your company's bank account, or copies of patients' confidential records. Social engineers can do all that and more without much technical skill. They manipulate people to get into tech systems like the janitor who lets someone back in for a forgotten coat, the receptionist who will show any repair person to the network closet (networking) network closet - The place where network hardware (other than cabling) is installed. The space should be used primarily for storage, be dry, and have electricity available. , or the boss who complains about program XYZ XYZ interj. Informal Used to indicate to someone that the zipper of his or her pants is open. [ex(amine) y(our) z(ipper).] causing so many problems. Social engineering happens more often than you think. Security engineer Justinn Washington, who heads Rockville, Maryland-based ELS Global Inc. (www.elsgolbal.com), knows how easy it is to crack a company's network. In 1999, he took over management of a network operations center See NOC. Network Operations Center - (NOC) A location from which the operation of a network or internet is monitored. Additionally, this center usually serves as a clearinghouse for connectivity problems and efforts to resolve those problems. (NOC (Network Operations Center) A central or regional location for monitoring a large network. Also called a "network management center" (NMC), "service management center" (SMC) or "network control center" (NCC), a NOC may be used to manage a large enterprise network, ) for a company with a high turnover rate, little or no maintenance documentation, and lots of fires to put out. Soon after Washington arrived, the NOC got a call from someone requesting the IP address for a Hewlett-Packard printer. "He presented himself to one of our engineers as a contractor providing service," says Washington. "The NOC engineer knew there was a history of maintenance and repair with the printers, so she followed his instructions to print out a statistics page, [which gave him the] IP address, machine name, etc." But this wasn't about printing. On the network, the print server doubled as a backup domain controller (networking) Backup Domain Controller - (BDC) A server in a network of Microsoft Windows computers that maintains a copy of the SAM database and handles access requests that the Primary Domain Controller (PDC) doesn't respond to. There may be zero or more BDCs in a network. . Bottom line: The imposter could use the statistics supplied to scan for more information, then masquerade as an internal user on the network and potentially gain access to the company's database of customer phone numbers, social security, and credit card information. Washington monitored the IP address and brought in a forensics See computer forensics. analyst to track down the impostor. "He hopped from three other companies to a university, which was the last place he could be traced," says Washington. To prevent this from happening again, Washington instructed all employees to direct questions regarding hardware and software to the IT director. "If you don't know Don't know (DK, DKed) "Don't know the trade." A Street expression used whenever one party lacks knowledge of a trade or receives conflicting instructions from the other party. the potential consequences of giving out that information, then you could be socially engineered," he says. BUT, ALL I SAID WAS.... "Employees often reveal information without realizing it. If someone riding home on the bus says, `Our Exchange Server was acting up today, you're letting others know that your operating system is Windows and you use Exchange Server," says Washington. "That information can be used to plan attacks and to [help crackers] make calls for further information," It's just a matter of using known exploits to a given piece of software when the administrator hasn't patched them or doesn't know about them yet. But businesses aren't the only ones that are vulnerable; government agencies also fall victim to such practices. "In many agencies, employees are trained to be helpful," says Joan S. Hash, group manager for information security at the National Institute of Standards and Technology National Institute of Standards and Technology, governmental agency within the U.S. Dept. of Commerce with the mission of "working with industry to develop and apply technology, measurements, and standards" in the national interest. (NIST (National Institute of Standards & Technology, Washington, DC, www.nist.gov) The standards-defining agency of the U.S. government, formerly the National Bureau of Standards. It is one of three agencies that fall under the Technology Administration (www.technology. ) in Gaithersburg, Maryland. "Social engineers take advantage of people's desire to be helpful." This, of course, makes it easier for them to compromise your organization--and your employees. Hash cites a case in which a husband was searching for his estranged es·trange tr.v. es·tranged, es·trang·ing, es·trang·es 1. To make hostile, unsympathetic, or indifferent; alienate. 2. To remove from an accustomed place or set of associations. wife: "Through social engineering, he was able to get the name and address of her new employer. He tracked her down and beat her up badly." The type of damage social engineering causes can run the gamut from downed networks, identity theft, or equipment theft--even terrorism, says Hash. WHAT TO DO NOW The best defense against social engineering is education, says Andrew A. Ryan, CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. of Andrew Ryan Consulting, Inc. of Alexandria, Virginia (www.andrew ryanconsulting.com), and currently IT consultant for the National Society of Black Engineers National Society of Black Engineers (commonly known as NSBE), founded in 1975 at Purdue University, is one of the largest student-run organizations in the US, centered on improving the recruitment and retention of African-American engineering students. (www.nsbe.org) also in Alexandria. "IT personnel should not assume that end-users are as adept at recognizing technological risks as they are. Therefore, it's really important to educate your end users that these things can happen." One way to do this in a small company is to identify a "point person," someone in charge of what happens to the system. "In a larger organization, there needs to be a more efficient process for validating the authenticity of an individual. It may be as simple as issuing corporate IDs with different color dots on a rotating basis, so someone using an old or stolen ID can easily be recognized." Hash adds that companies should also make sure employees report any calls asking for information about tech systems to the security representative in the organization. "Every agency chief information officer who runs the IT department and is also in charge of making sure they have a well-supported, fully functioning security program in place," says Hash. She adds that the NIST works with both the government and private sector, reaching out to small- and medium-size businesses at security forums and conferences. Companies can also check out private business support and best practices at NIST's Computer Security Resource Center at http://csrc.nist.gov. "A company can spend thousands of dollars on intrusion detection software, virus detection software, malicious intrusion detection, and firewalls--and someone can walk right in and say they're from the local computer company and then trash your systems," says Ryan. "Physical security is often the most overlooked aspect of security, and you've got to wrap your arms around it." Proper Terms * Cracker A cracker uses computer technology to break into other systems to steal or destroy property, whether tangible or intellectual. Crackers aren't necessarily gifted technologically, but they use technology as a means to an end. * Hacker The term refers to a person who enjoys learning the details of programming systems just for the sake of doing so; they often quietly advise the owner of a compromised site or network where vulnerabilities lay. Though unauthorized access is illegal, hackers distance themselves from those who invade systems to steal or destroy. * Social Engineer Akin to a con man or other sociopath so·ci·o·path n. A person affected with an antisocial personality disorder. so  ci·o·path , the social engineer manipulates people to gain access to systems. Rather than depending solely on technological prowess, he or she relies on people's naivete na·ive·té or na·ïve·té n. 1. The state or quality of being inexperienced or unsophisticated, especially in being artless, credulous, or uncritical. 2. An artless, credulous, or uncritical statement or act. , goodwill, professional courtesy professional courtesy Professional discount Medtalk The practice by a physician of waiving of all, or a part, of the fee for services provided to a physician's office staff, other physicians and/or their families; PC has been extended to include the waiver of , and hesitance to question others to gain information. Gentle Reminders Andrew Ryan offers these tips for helping employees keep security in mind at all times: 1. Put your security policy in the employee handbook, and make it one of the things you review with new employee. 2. Place security alerts on your Intranet page where there is access to sensitive data, such as purchase orders, expense reports, and timesheets--all areas that only your employees should be privy to. 3. Remind employees that no one should ever ask them for their password. |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion