Friday, July 17, 2009
Hacking the Weakest Link... The Human
There is a device in all our networks that is gullible, unpredictable, and lazy. It talks to foreign devices with no firewall between, ignores group policies, and even actively seeks to compromise our security measures. No amount of technology will correct these shortcomings. It's THE HUMAN. And it is amazing easy to hack...
I ran across a Steve Riley video on Defending Layer 8, about the various different ways social engineering is used to get security related information for company employees. You have to have a TechNet account to go straight to the video, but if you go to the link above, you can get to the video through the Related Videos frame on the right side without logging in. At least I did. He is amazingly entertaining...you won't fall asleep for sure...and informative. He exposes the underbelly about why humans are such easy targets. Some methods of compromise I already knew, but alot were eye opening. One such example is our genuine desire to be helpful. He also explains why we all love Wayne Small so much...Americans automatically (and inexplicably) trust Australians. It sounds weird, but I think he is right. And an astute hacker can use that knowledge (and a fake accent) to advantage. Better watch this one, folks, so you have a better idea how to educate your users on this very subject.
As to education, what do we do about it? He gives some good examples on what to tell your clients. He also said that it is a workplace education process. Native Intelligence has a presentation that you can give your clients to "raise" their awareness on the different ways they are solicited. The site also has a number of printed and electronic materials that can be used. There are even some free education materials that you can download and print.
So, what course of action did I get from this? I mean, is it so hopeless that I just throw up my hands and walk away. No. Admittedly, I can never fully secure that part of my networks. But I can reduce the footprint of the problem. I have enough here in the listed resources to start a "drip" campaign, just to raise the awareness of the average user over time. I plan to set up a series of emails that gives several "awareness" bits to my users, and then have them time released so the clients get one every couple of weeks. I do not expect my clients to understand the inner complexities of security, but I do want them to pause and ask "Should I be doing this? Who is this person? Etc."