How social engineering sinks security

The last time you went to a computer industry trade show, you probably picked up a few trinkets handed out by vendors: pens, mugs, stress balls. What if a vendor offered you a handy little 1GB thumb drive if you agreed to watch a 10-minute demo? Would you take it home and use it? Heck, yeah!

What happens if that thumb drive isn't as innocent as it looks? Maybe it comes preinstalled with a Trojan horse that's going to infect your PC and send private information back to a hacker. Do you think this is far-fetched? Well, think again.

A recent article on the Dark Reading Web site discusses a situation in which a credit union asked an ethical hacking company to test its computer security practices. The consultant dropped a few USB thumb drives in conspicuous places around the building where employees would find them and access them to see what was on them.

Unknown to the employees, the security consultant had preinstalled Trojan software that would load onto the unsuspecting employees' PCs and send configuration data back to the consultant via e-mail. Of the 20 thumb drivers planted, 15 were used as intended, signaling a weak link in security practices.

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

The last time you went to a computer industry trade show, you probably picked up a few trinkets handed out by vendors: pens, mugs, stress balls. What if a vendor offered you a handy little 1GB thumb drive if you agreed to watch a 10-minute demo? Would you take it home and use it? Heck, yeah!

What happens if that thumb drive isn't as innocent as it looks? Maybe it comes preinstalled with a Trojan horse that's going to infect your PC and send private information back to a hacker. Do you think this is far-fetched? Well, think again.

A recent article on the Dark Reading Web site discusses a situation in which a credit union asked an ethical hacking company to test its computer security practices. The consultant dropped a few USB thumb drives in conspicuous places around the building where employees would find them and access them to see what was on them.

Unknown to the employees, the security consultant had preinstalled Trojan software that would load onto the unsuspecting employees' PCs and send configuration data back to the consultant via e-mail. Of the 20 thumb drivers planted, 15 were used as intended, signaling a weak link in security practices.

The weak link, of course, is people. We're so darn trusting, naive and greedy. The bad guys know this and take advantage of it every way possible. It's called social engineering, and it's all about trust.

Social engineering is the principle behind phishing, pretexting, gimme schemes in which you seemingly get something for nothing and other methods that criminals use to gain your confidence before doing their dirty work. As technologies designed to prevent or at least detect miscreant activity improve, criminals tend to prey on the frailties of the human element.

The Art of Deception by criminal-turned-ethical-hacker Kevin Mitnick discusses how social engineering can be combined with computer hacking to wreak havoc on corporate, public and private networks. The lesson is that no matter how strong you build technology solutions to security issues, people can and do give up the keys to the kingdom without thinking about it.

Over the past year, I've looked at all kinds of security technologies - including those that block viruses, sniff packets, encrypt files, manage endpoints such as USB ports, monitor instant message discussions, test the content of data, detect malware on PCs, install patches, authenticate users, encrypt messaging sessions, analyze log files for forensic purposes, prevent zero-day exploits and create virtual spaces for browser sessions.

All these products do exactly what you tell them to do, and they rarely fail. But tell someone to protect his password, and he'll move the sticky note with the password from the monitor to his top desk drawer. The human element is far more fallible than technology.

We can't assume people will be smart about the way they use computers. A recent study conducted by the University of California at Berkeley and Harvard University found that a well-designed phishing Web site draws in people 90% of the time, despite all the publicity about phishing in the mainstream media.

What can be done about social engineering and the human weak link of computer security? The best thing you can do is create awareness and provide training for your employees. Honest people want to be a part of the solution, not part of the problem. They need to be taught about the threats and vulnerabilities - especially the ones relying on social engineering.

Mitnick cites his own case of stealing source code from Motorola years ago by sounding confident and authoritative on the phone. He posed as a Motorola employee, and a real employee went out of her way to send him proprietary code that he claimed he needed for a project. The only problem was that it wasn't a Motorola project. A trusting, helpful person didn't think to challenge his cover story before giving him trade secrets.

So the next time you call or e-mail me, forgive me if I'm automatically suspicious of you. I'm trying to heighten my awareness of security lapses because of social engineering, and you and your company should, too.

Read more about security in Network World's Security section.