Friday, July 9, 2010

The Human Firewall

Social engineering is an attack on your greatest asset, defense and weakness; The Human Firewall. There are people who practice this as a means to bypass all of the electronic defenses that have been put in place to stop someone from coming into the network through the internet. All of the time and money and effort to put the logical and physical perimeter defense can be for nothing. It's also the most insidious attack, since it is targeted specifically against one company, or even one person in particular.
Most attacks take time, since the social engineer has to do some homework before expecting to gain access or having a successful breach. The ease of doing the recon phase has also been greatly aided by technology. Google maps, social networking sites and even your company's website can provide valuable information to an attacker. The social engineer can then gain further insight by learning employee's names from their badges at local restaurants or coffee shops. Also from late night calls into the company, where they can learn a great deal more information from the messages on employee's voice mail message.
Eventually, they can learn enough to pose as a repairman from one of your vendors, a fictitious appointment, or even could drop a targeted USB key or CD/DVD from a vendor where it could be run from inside the company. There are also many more attacks, but this is a blog about prevention, and I would be more than happy to discuss those offline. The best way to defeat the attack is before it can get all the way in.
The key to thwarting any kind of attack is to keep the human firewall updated. Good education alone is a huge help, but not enough. Like any good plan, it needs to be tested so that corrections can be made to what you are doing. Also, making policies and procedures for people to follow make it very easy for employees to understand some basic guidelines of protection. This is great for the employee personally, since protecting their privacy is in their own best interests as well. Privileges for individuals should never be more than is required to do their job. The Director of Finance, Receptionist and Warehouse Manager all need access and data access rights to do their jobs, which is all very different from each other and should be set up that way.
Social engineering is not always obvious, since it is meant to be very subtle and play on emotions and habits that people strive to have. This isn't an automated attack that is run from a distance against your network, but is meant to facilitate a technological breach up close and in person. Social engineering attacks take time to set up, develop, and execute. Like most criminals, when faced with a system that is defending well and the risk of getting caught is high; the social engineer will eventually lose patience and move on.
Enhanced by Zemanta

No comments:

Post a Comment