Your systems are as impenetrable as you, your team and your partners can make them.
Your processes are amazing. They follow all the industry standards and your audits always come back 100% ‘secure’.
You and your team sleep easy at night knowing you’ve done everything you can to keep the boogeyman out.
But…in the blink of an eye — and against all odds it seems– you find a hacker sitting smack dab in the middle of your organization’s systems.
Your systems were perfect. Your processes were perfect. Its inconceivable that penetration could occur on your watch. Right?
Well…anyone thats been in the IT business for more than a few months knows that no system/process is perfect and there’s always risk. Our job is to mitigate risk. We’ll never be able to eliminate risk completely, but we can do our best to minimize it.
While we in IT spend many hours/days/weeks/years thinking and dealing with security issues, we rarely go outside our ‘realm’ to talk to the rest of the organization about the importance of security. Sure, we build a document / webpage describing how important security is but do we really educate the rest of the organization on what it really means to be ‘secure’?
Do we go out of our way to talk to everyone about the importance of security? Do we train people on the dangers of Social Engineering? Have we educated ourselves on the dangers of security in the social world?
In today’s world where being ‘social’ is the new norm, social engineering is even more of a threat today than it ever has been. With the ability to interact in real-time with people from all over the world, enterprise security has become even more at-risk than ever.
Imagine your company has a Facebook page.
Someone sends a message to your marketing intern that says “hey…this is Bill from the London office…I’ve lost access to the Facebook page…can you add me again as an administrator?”
Your intern, trying to be helpful…and knowing full-well who “Bill” is and that he is supposed to have access to the Facebook page, immediately responds with and adds “Bill” to the Facebook page.
Ten minutes later, the intern tries to access the Facebook page but no longer has access. He contacts “Bill” via company email and finds out that he is on vacation for the next month.
Looks like your Facebook page just got taken over.
This is a pretty simple example but one that can easily happen. A hacker targets an organization and finds a way in….it doesn’t take much to do this. Sure, in this example, the hacker isn’t “inside” but they do have access to a very important piece of your organization’s marketing platform.
Christian Verstraete recently wrote a post titled Keeping Cloud in mind when you look at your security where he wrote:
As our world is getting increasingly integrated, and as social media is used by enterprises to reach their customers and prospects, we need to train our people to ensure they are watchful for social engineering. According to Wikipedia Social engineering, in the context of security, is understood to mean the “art of manipulating people into performing actions or divulging confidential information.” While it is similar to a confidence trick or simple fraud, it is typically trickery or deception for the purpose of information gathering, fraud, or computer system access. In most cases the attacker never comes face-to-face with the victim
Social Engineering comes in all forms. Email, Instant Message, Social Networking, Phone and in-person. Have you ever found someone walking around the hallways of your organization without proper ID or notification of their arrival? I have….and its unsettling to know that they could have found an open computer and starting plugging away at your systems.
Security policies will always help with all approaches hackers take…if those hackers take on the IT group head-on, but rarely do hackers hit the IT systems head-on.
Jim Harris points to a a book titled Social Engineering: The Art of Human Hacking (amazon affiliate link) by Christoper Hadnagy as an example of what people are doing in the Social Engineering space. Jim quotes Hadnagy as saying:
“While software companies are learning how to strengthen their programs,” Hadnagy explained, “hackers and malicious social engineers are turning to the weakest part of the infrastructure — the people. The motivation is all about return on investment. No self-respecting hacker is going to spend 100 hours to get the same results from a simple attack that takes one hour, or less.”
No amount of money or technology will stop social engineering. It can slow things down for sure. But…education will go just as far (or further) to help put the brakes on social engineering attacks.
Christian Verstraete finishes up his post by writing:
Pro-actively define your security strategy. Decide what an acceptable risk level is. Choose and implement tools and procedures accordingly and train, train, train your employees. Believe me, this may cost you money, but it will be a factor less than if your security is breached. Just think about the damage to your brand if you are compromised.
Train your employees. Not just the IT employees…but everyone. Teach them what Social Engineering means. Teach them that just because someone asks for something, it doesn’t mean they should get it. Finally…one of the best methods to combat Social Engineering attacks is to teach your people these three words: Trust but Verify.
That intern in the above story…he could have trusted ‘Bill” but a quick email to “Bill’s” work email address would have easily stopped the Facebook attack.
Educate everyone in the organization to Trust but Verify. Education is expensive but should be looked at as another line-item toward securing the organization. You’ve spent millions on the technology…spend a little bit more to educate your people.
Image Credit: the no-wall door By ghirson on Flickr