(Skip to 11:15 for the section I'm talking about. The full interview can be found here.)
In our project for CS 280, we had initially intended to do what Kevin Mitnick is doing now, simulating an attack on the employees in a business, so that they could recognize what a social engineering attack looks like. Medical vaccinations work the same way, you give the body a weakened form of a disease so that when the body is infected by the real deal, it can recognize the antigens and mount a strong defense.
The reason behind this is the basic human need to be helpful. Humans evolved as social creatures, where each individual did their best to help the pack. Much of our internal wiring is based on trusting others and helping out, so we do not initially (at least deep down in our guts) seek out to distrust others - it is experience that brings out distrust. Think about it - ever been on vacation, handed over your camera, and ask a total stranger to take a picture of you and your significant other? And 9 times out of 10, what is that person's response? Either "Sure. Say Cheese!" or at most, you will be asked to reciprocate the favour for them. I've done it myself (both ways) at Grey Cup 2008 in Montreal and when my wife and I went on our cruise in July. People do want to be helpful, and that is not a bad thing.
The problem is when the "bad guys" take advantage of loop holes and short circuits in basic human psychology. As I've said before, the best security products and "least privileged accounts" will always fail when the staff is fulling willing to hand over the keys to the network. Donuts, coffee, and some flattery (bonus marks if the bad guy even means it) will get you much farther than learning about 0-day hacks, cracks, and weaknesses in the system. Do employees mean to compromise system security? Other than disgruntled employees (what's a gruntled employee anyway?), in most cases they are simply trying to be helpful.
This is where Kevin Mitnick, and other White-hat hackers like him, come in (although due to his past, at best Mitnick could only be called a Grey-Hat). The simulation of social engineering attacks shows three main things to employees:
- What a social engineering attack looks like and how to recognize it.
- The damage that can be done.
- And most importantly, WHY security protocols are they way they are, and how YOU personally can help us protect the network.
This inoculation is vital for companies, and an employee who "fails" the test should actually be considered more valuable to the company. In my opinion, someone who passes the test has a risk of becoming complacent, and may not treat a real attack seriously. Whereas, someone who has failed is much more likely to want to prove themselves to their employer. They will ask more questions, they will know why to ask those questions, and they won't be afraid to ask those questions even to someone claiming to be a police officer or a high ranking executive in the company.
In one secured building I'm in on a regular basis, even the CEO must show his ID to the security guard, and they actually check the ID. It only takes a few extra seconds, but those few extra seconds are what matters when it comes to security. Asking visitor to wait a few extra seconds while you verify their presence will scare off the social engineer (there are much easier targets out there), but legitimate visitors will often say "No problem", especially if you become a social engineer yourself and offer them a cup of coffee while they wait.
No comments:
Post a Comment