Security managers spend significant amounts of time analyzing software vulnerabilities and patching the same. I just looked at the Common Vulnerability and Exposure database (CVE) and see that it now has 47,555 vulnerabilities. But how many security managers have analyzed or cataloged the social engineering vulnerabililties faced by their organizations? I suspect few. Virtually all security managers have a technical background and social engineering skills (for good or evil) do not come naturally for most. Now however, we have Kevin Mitnick’s new book, Ghost in the Wires, the practioner’s handbook of social engineering. I don’t normally choose to purchase or recommend books written by convicted felons, but in this case I am making an exception. Mitnick’s story is full of specific examples of social engineering tricks. This is such a common attack vector today this his book is valuable reading for all involved with protecting information. From Ghost you can identify attack vectors that apply to your organization and make sure that mitigating controls are in place.
Some examples from Mitnick’s experience.
1. Reconnaissance–Mitnick was a master at researching his targets, learning their language and culture before calling anyone. Today this is much easier with web sites and social networks. You can’t eliminate the web, but you need to periodically monitor information that is on your web site and on social networks. Do you really need the help desk number and process for resetting passwords published on your public facing web site? I have seen this at more than one site.
2. Tailgating–This is entering a building behind others. Not a problem in small firms or large firms with professional security guards. I have seen this in campus settings where the organization is distributed enough that people do not know each other, but the culture is relaxed. If this is an issue at your site, make it part of regular awareness training.
3. Impersonating Insiders–One of Mitnick’s favorite hacks. In most of his calls to “marks” he posed as a tech support person, help desk person or other insider. Training is needed to remind employees that they must verify the identity of anyone asking them for sensitive information. Phone numbers can be spoofed as can IP addresses and email addresses. Trust but verify must be the mantra.
4. Dumpster diving–Another of Mitnick’s tricks. Many businesses still have tons of paper data with sensitive information. Do you have a process for disposing of it? Usually it will be outsourced. This hack is so common, that it is worthwhile going over the process in detail. Do the same for disposing of electronic data contained on PC’s, servers and other devices.
In summary, if you pay as much attention to social engineering vulnerabilities as to software and technical vulnerabilities, you stand a much better chance of staying out of the sequel to Mitnick’s book.
Book an Appointment for Cybersecurity Issues
Request an appointment with Dr. Fred Scholl. We will discuss any cybersecurity issues you have.