The Art of Deception: Controlling the Human Element of Security Read Free Page A

himself from Stanley Rifkin, bank consultant, into Mike Hansen, a member of the bank's International Department.

    According to one source, the conversation went something like this:

    "Hi, this is Mike Hansen in International," he said to the young woman who answered the phone. She asked for the office number. That was standard procedure, and he was prepared: "286" he said. The girl then asked, "Okay, what's the code?"

    Rifkin has said that his adrenaline-powered heartbeat "picked up its pace" at this point. He responded smoothly, "4789." Then he went on to give instructions for wiring "Ten million, two-hundred thousand dollars exactly" to the Irving Trust Company in New York, for credit of the Wozchod Handels Bank of Zurich, Switzerland, where he had already established an account.

    The girl then said, "Okay, I got that. And now I need the interoffice settlement number."

    Rifkin broke out in a sweat; this was a question he hadn't anticipated, something that had slipped through the cracks in his research. But he managed to stay in character, acted as if everything was fine, and on the spot answered without missing a beat, "Let me check; I'll call you right back." He changed hats once again to call another department at the bank, this time claiming to be an employee in the wire-transfer room. He obtained the settlement number and called the girl back.

    She took the number and said, "Thanks." (Under the circumstances, her thanking him has to be considered highly ironic.) Achieving Closure A few days later Rifkin flew to Switzerland, picked up his cash, and handed over $8 million to a Russian agency for a pile of diamonds. He flew back, passing through U.S. Customs with the stones hidden in a money belt. He had pulled off the biggest bank heist in history--and done it without using a gun, even without a computer. Oddly, his caper eventually made it into the pages of the Guinness Book of World Records in the category of "biggest computer fraud."

    Stanley Rifkin had used the art of deception--the skills and techniques that are today called social engineering. Thorough planning and a good gift of gab is all it really took.

    And that's what this book is about--the techniques of social engineering (at which yours truly is proficient) and how to defend against their being used at your company.

    THE NATURE OF THE THREAT The Rifkin story makes perfectly clear how misleading our sense of security can be. Incidents like this - okay, maybe not $10 million heists, but harmful incidents nonetheless - are happening every day. You may be losing money right now, or somebody may be stealing new product plans, and you don't even know it. If it hasn't already happened to your company, it's not a question of if it will happen, but when.

    A Growing Concern The Computer Security Institute, in its 2001 survey of computer crime, reported that 85 percent of responding organizations had detected computer security breaches in the preceding twelve months. That's an astounding number: Only fifteen out of every hundred organizations responding were able to say that they had not had a security breach during the year. Equally astounding was the number of organizations that reported that they had experienced financial losses due to computer breaches: 64 percent. Well over half the organizations had suffered financially. In a single year. My own experiences lead me to believe that the numbers in reports like this are somewhat inflated. I'm suspicious of the agenda of the people conducting the survey. But that's not to say that the damage isn't extensive; it is. Those who fail to plan for a security incident are planning for failure.

    Commercial security products deployed in most companies are mainly aimed at providing protection against the amateur computer intruder, like the youngsters known as script kiddies. In fact, these wannabe hackers with downloaded software are mostly just a nuisance. The greater losses, the real threats, come from