Security's Weakest Link

[April 19, 2003] If there’s anything I hate about attending network security events and meeting the so-called experts, no matter what you tell them, like having a firewall and anti-virus programmed to update itself, undisclosed passwords, among others, they always have this usual statement, “It is not enough, that doesn’t guarantee security.” Then what makes it secure?

There was so much hype on how crackers break into corporate systems and retrieve sensitive information. More often, we dismiss that the company lack network security policies and technologies. But according to Kevin Mitnick and William Simon, authors of the book “The Art of Deception“, the human factor is security’s weakest link.

Despite well-written network policies, intrusion detection, firewalls, time-based tokens, that creates an illusion of security to managers, companies are very much vulnerable to attack from social engineers that can get sensitive information with or without the use of information technology. With enough research and preparation, a social engineer can get sensitive information and cooperation they need from a helpful employee whom you least expected by just a few phone calls and false misrepresentation.

Social engineers rely on basic tendencies of human nature in their attempts to manipulate. Some of it includes:

1. Respect for authority. We tend to easily give in to people whom we know, assumed, or thought has authority to make a particular request. If trained, the person requesting for information should be validated to ensure they are who they claim to be. Does he/she have the authorization to know and make such request?

2. We tend to be accommodating to likeable individuals in granting their requests.

3. We have a tendency to return the favor to an individual who has given us something of value, material or not.

Companies that have large number of employees, multiple facilities, utilizes voice mail systems, local extension numbers shown in business cards, among others, are vulnerable to these risks.

If there’s one security book that any employee and IT user should read, this is the one. Mitnick and Simon illustrated various forms of deception that enabled social engineers passed through the most sophisticated security technologies and policies. Each con was also analyzed and advice was given on how it can be prevented. Depending on the reader’s intent, the reverse may also apply.

Perhaps through this book, each individual will look at the issue of security from technology to serious business, management, and process issues.

The book, The Art of Deception, is published by John Wiley & Sons and available at your local bookstores. Should you have a hard time finding this book, email Jherlie Cheng for assistance.