The Art of Deception: Controlling the Human Element of Security Read Free
Author: Kevin D. Mitnick
Tags: General, Computers, Business & Economics, Electronic Books, security, Computer Hackers, Computer Security, Computer Networks, Information Management, Data Protection, Social Aspects, Information Technology, Internal Security, Computer Science
Ads: Link
still no guarantee. Expensive locks or no, the homeowner remains vulnerable.
Why? Because the human factor is truly security's weakest link.
Security is too often merely an illusion, an illusion sometimes made even worse when gullibility, naivete, or ignorance come into play. The world's most respected scientist of the twentieth century, Albert Einstein, is quoted as saying, "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." In the end, social engineering attacks can succeed when people are stupid or, more commonly, simply ignorant about good security practices. With the same attitude as our security-conscious homeowner, many information technology (IT) professionals hold to the misconception that they've made their companies largely immune to attack because they've deployed standard security products - firewalls, intrusion detection systems, or stronger authentication devices such as time-based tokens or biometric smart cards. Anyone who thinks that security products alone offer true security is settling for. the illusion of security. It's a case of living in a world of fantasy: They will inevitably, later if not sooner, suffer a security incident.
As noted security consultant Bruce Schneier puts it, "Security is not a product, it's a process." Moreover, security is not a technology problem - it's a people and management problem.
As developers invent continually better security technologies, making it increasingly difficult to exploit technical vulnerabilities, attackers will turn more and more to exploiting the human element. Cracking the human firewall is often easy, requires no investment beyond the cost of a phone call, and involves minimal risk.
A CLASSIC CASE OF DECEPTION What's the greatest threat to the security of your business assets? That's easy: the social engineer--an unscrupulous magician who has you watching his left hand while with his right he steals your secrets. This character is often so friendly, glib, and obliging that you're grateful for having encountered him.
Take a look at an example of social engineering. Not many people today still remember the young man named Stanley Mark Rifkin and his little adventure with the now defunct Security Pacific National Bank in Los Angeles. Accounts of his escapade vary, and Rifkin (like me) has never told his own story, so the following is based on published reports.
Code Breaking One day in 1978, Rifkin moseyed over to Security Pacific's authorized-personnel- only wire-transfer room, where the staff sent and received transfers totaling several billion dollars every day.
He was working for a company under contract to develop a backup system for the wire room's data in case their main computer ever went down. That role gave him access to the transfer procedures, including how bank officials arranged for a transfer to be sent. He had learned that bank officers who were authorized to order wire transfers would be given a closely guarded daily code each morning to use when calling the wire room.
In the wire room the clerks saved themselves the trouble of trying to memorize each day's code: They wrote down the code on a slip of paper and posted it where they could see it easily. This particular November day Rifkin had a specific reason for his visit. He wanted to get a glance at that paper.
Arriving in the wire room, he took some notes on operating procedures, supposedly to make sure the backup system would mesh properly with the regular systems. Meanwhile, he surreptitiously read the security code from the posted slip of paper, and memorized it. A few minutes later he walked out. As he said afterward, he felt as if he had just won the lottery.
There's This Swiss Bank Account... Leaving the room at about 3 o'clock in the afternoon, he headed straight for the pay phone in the building's marble lobby, where he deposited a coin and dialed into the wire-transfer room. He then changed hats, transforming
Why? Because the human factor is truly security's weakest link.
Security is too often merely an illusion, an illusion sometimes made even worse when gullibility, naivete, or ignorance come into play. The world's most respected scientist of the twentieth century, Albert Einstein, is quoted as saying, "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." In the end, social engineering attacks can succeed when people are stupid or, more commonly, simply ignorant about good security practices. With the same attitude as our security-conscious homeowner, many information technology (IT) professionals hold to the misconception that they've made their companies largely immune to attack because they've deployed standard security products - firewalls, intrusion detection systems, or stronger authentication devices such as time-based tokens or biometric smart cards. Anyone who thinks that security products alone offer true security is settling for. the illusion of security. It's a case of living in a world of fantasy: They will inevitably, later if not sooner, suffer a security incident.
As noted security consultant Bruce Schneier puts it, "Security is not a product, it's a process." Moreover, security is not a technology problem - it's a people and management problem.
As developers invent continually better security technologies, making it increasingly difficult to exploit technical vulnerabilities, attackers will turn more and more to exploiting the human element. Cracking the human firewall is often easy, requires no investment beyond the cost of a phone call, and involves minimal risk.
A CLASSIC CASE OF DECEPTION What's the greatest threat to the security of your business assets? That's easy: the social engineer--an unscrupulous magician who has you watching his left hand while with his right he steals your secrets. This character is often so friendly, glib, and obliging that you're grateful for having encountered him.
Take a look at an example of social engineering. Not many people today still remember the young man named Stanley Mark Rifkin and his little adventure with the now defunct Security Pacific National Bank in Los Angeles. Accounts of his escapade vary, and Rifkin (like me) has never told his own story, so the following is based on published reports.
Code Breaking One day in 1978, Rifkin moseyed over to Security Pacific's authorized-personnel- only wire-transfer room, where the staff sent and received transfers totaling several billion dollars every day.
He was working for a company under contract to develop a backup system for the wire room's data in case their main computer ever went down. That role gave him access to the transfer procedures, including how bank officials arranged for a transfer to be sent. He had learned that bank officers who were authorized to order wire transfers would be given a closely guarded daily code each morning to use when calling the wire room.
In the wire room the clerks saved themselves the trouble of trying to memorize each day's code: They wrote down the code on a slip of paper and posted it where they could see it easily. This particular November day Rifkin had a specific reason for his visit. He wanted to get a glance at that paper.
Arriving in the wire room, he took some notes on operating procedures, supposedly to make sure the backup system would mesh properly with the regular systems. Meanwhile, he surreptitiously read the security code from the posted slip of paper, and memorized it. A few minutes later he walked out. As he said afterward, he felt as if he had just won the lottery.
There's This Swiss Bank Account... Leaving the room at about 3 o'clock in the afternoon, he headed straight for the pay phone in the building's marble lobby, where he deposited a coin and dialed into the wire-transfer room. He then changed hats, transforming
Similar Books
The Great Scottish Devil
Starla Kaye
Bone Deep
Gina McMurchy-Barber
In Vino Veritas
J. M. Gregson
Wolf Bride
Elizabeth Moss
Just Your Average Princess
Kristina Springer
Mr. Wonderful
Carol Grace
Captain Nobody
Dean Pitchford
Pretty Witches All in a Row
Lisa Olsen
Paradise Alley
Kevin Baker
Kleber's Convoy
Antony Trew