The Art of Deception: Controlling the Human Element of Security Read Free Page B

sophisticated attackers with well-defined targets who are motivated by financial gain. These people focus on one target at a time rather than, like the amateurs, trying to infiltrate as many systems as possible. While amateur computer intruders simply go for quantity, the professionals target information of quality and value.

    Technologies like authentication devices (for proving identity), access control (for managing access to files and system resources), and intrusion detection systems (the electronic equivalent of burglar alarms) are necessary to a corporate security program. Yet it's typical today for a company to spend more money on coffee than on deploying countermeasures to protect the organization against security attacks.

    Just as the criminal mind cannot resist temptation, the hacker mind is driven to find ways around powerful security technology safeguards. And in many cases, they do that by targeting the people who use the technology.

    Deceptive Practices There's a popular saying that a secure computer is one that's turned off. Clever, but false: The pretexter simply talks someone into going into the office and turning that computer on. An adversary who wants your information can obtain it, usually in any one of several different ways. It's just a matter of time, patience, personality, and persistence. That's where the art of deception comes in.

    To defeat security measures, an attacker, intruder, or social engineer must find a way to deceive a trusted user into revealing information, or trick an unsuspecting mark into providing him with access. When trusted employees are deceived, influenced, or manipulated into revealing sensitive information, or performing actions that create a security hole for the attacker to slip through, no technology in the world can protect a business. Just as cryptanalysts are sometimes able to reveal the plain text of a coded message by finding a weakness that lets them bypass the encryption technology, social engineers use deception practiced on your employees to bypass security technology.

    ABUSE OF TRUST In most cases, successful social engineers have strong people skills. They're charming, polite, and easy to like--social traits needed for establishing rapid rapport and trust. An experienced social engineer is able to gain access to virtually any targeted information by using the strategies and tactics of his craft.

    Savvy technologists have painstakingly developed information-security solutions to minimize the risks connected with the use of computers, yet left unaddressed the most significant vulnerability, the human factor. Despite our intellect, we humans - you, me, and everyone else - remain the most severe threat to each other's security.

    Our National Character We're not mindful of the threat, especially in the Western world. In the United States most of all, we're not trained to be suspicious of each other. We are taught to "love thy neighbor" and have trust and faith in each other. Consider how difficult it is for neighborhood watch organizations to get people to lock their homes and cars. This sort of vulnerability is obvious, and yet it seems to be ignored by many who prefer to live in a dream world - until they get burned.

    We know that all people are not kind and honest, but too often we live as if they were. This lovely innocence has been the fabric of the lives of Americans and it's painful to give it up. As a nation we have built into our concept of freedom that the best places to live are those where locks and keys are the least necessary.

    Most people go on the assumption that they will not be deceived by others, based upon a belief that the probability of being deceived is very low; the attacker, understanding this common belief, makes his request sound so reasonable that it raises no suspicion, all the while exploiting the victim's trust.

    Organizational Innocence That innocence that is part of our national character was evident back when computers were