Humans Still Weakest Security Link

WASHINGTON — Recognizing that humans are the weakest link in any security
chain is a staple of any IT security gathering, and the issue is as relevant today as
ever, a Gartner analyst said Tuesday afternoon at the research firm’s 10th Annual IT Security Summit.


In fact, according to Rich Mogull, Gartner’s director of information security,
social engineering — hacker-speak for
compromising security systems by human manipulation rather than technology –
is currently “epidemic,” and the enterprise is vulnerable to
surprisingly simple tricks and ruses as never before.


“Social engineering is so powerful it can completely circumvent all of your
security if done right,” Mogull said.


Criminal hackers, for instance, know it is often easier to pick up the
telephone, pose as someone in the security department and ask an employee
for their password. Mogull says it happens more times than companies are
willing to admit. Even simpler, and just as common as ever, is a visitor
walking through a company and collecting passwords written on Post-Its.


“We are seeing some of the worst social engineering attacks we’ve ever
seen,” Mogull said. “Technology is just the vector. Social engineering is
done over technology but not by technology. The best firewall in the world
is useless if the person behind it gives away the access codes.”


Mogull said almost all cyber attacks begin with research. Hackers either probe
the system with stolen passwords or they simply manipulate employees who
think they are being helpful. The new twist is using camera cell phones to
photograph documents, organizational charts and telephone lists.


The photographer can be an on-site visitor, someone posing as a delivery
person or even a member of the cleaning crew.


“A criminal can get an awful lot of information about your company by simply
having access to your organizational chart,” he said. “A simple click and
the criminal knows who works in your IT department. Now they have a target.”


Mogull also cautioned that companies should carefully monitor publicly
available information. “With a little research, incredible amounts of
information are available on nearly every person or enterprise,” he said.


Another new angle, Mogull said, is what he calls “reverse social engineering.”
This is the practice of using technology, such as camera phones or
laptops, to gain access and then using that access to dupe “helpless” users
out of sensitive information.


“Attacks can target the physical world or the electronic world directly,” he
said. “Attacks in one world can be used as a basis to attack the other.”


Solutions are as old as the problem, Mogull said. This begins with building a
security culture within the enterprise — carefully screening employees and
ongoing users — as well as administration and management education. “It starts with
policy and a structure that actually manages security,” he said,
adding that, far too often, a company’s physical security force is left out of
the loop.


“Most of the physical security you all have in your organizations is
terrible,” Mogull said. “I know this because I visit a lot of Gartner
clients. I always go to the front desk, sign in and get a visitor pass. What do
I do? I put it in my pocket and walk around. Maybe 10 percent of the time I
get asked about it.


“It always begins with the culture, he said. “I can’t stress that enough.”
“You want to turn them into a security asset not a security liability. They
should know if someone walks in with a USB drive. We don’t use devices like
that.”


The advent of wireless devices puts even more pressure on the enterprise to
open communication channels between the IT security department and physical
security. Mogull said the physical security team should be aware of
suspicious activity, such as unfamiliar people using laptops in the public
areas of a company and, even more suspiciously, strangers sitting in a car
in the parking lot using laptops.

News Around the Web