Phone Calls More Dangerous Than Malware To Companies 82
dinscott writes "During Social Engineer Capture the Flag contest, one of the most prominent and popular annual events at DEF CON 21, a pool of 10 men and 10 women, from diverse backgrounds and experience levels, tested their social engineering abilities against 10 of the biggest global corporations, including Apple, Boeing, Exxon, General Dynamics and General Electric. The complete results of the competition are in, and they don't bode well for businesses."
complete results? (Score:5, Insightful)
Re:complete results? (Score:5, Insightful)
In addition to its brevity, it also implies the 4 times as many "flags" were taken simply from searches of Google, Linkedin, and others (2x as many points scored, with flags being worth 0.5x those taken via social engineering). Sounds like the corporate website and employees' social networking accounts are the real threat ...
Re:Caller ID (Score:5, Insightful)
Re:complete results? (Score:4, Insightful)
In addition to its brevity, it also implies the 4 times as many "flags" were taken simply from searches of Google, Linkedin, and others (2x as many points scored, with flags being worth 0.5x those taken via social engineering). Sounds like the corporate website and employees' social networking accounts are the real threat ...
Since the article doesn't bother listing what the flags were, one cannot assign a weight to each of them. If all the flags were of equal importance than I would agree with you. But if some are more critical than others, e.g. if flag 1 is "What is the CEO's name?", and flag 2 is "What is the CEO's login and password?", then comparing raw counts as the article is doing is both pointless and misleading.
Uh, so what was accomplished? (Score:0, Insightful)
It's like handing out a map to rave that is nothing but a warehouse full of from-a-Mexican-hospital body parts. Or was that the exercise? A new low, /.. A new low.
This just in... (Score:5, Insightful)
If you staff your support lines with the cheapest labor you can get, you will end up with a call center of gullible fools.
Re:complete results? (Score:5, Insightful)
Revised headline: "Slashdot editors still drunk at work, approving spam".
Re:Caller ID (Score:5, Insightful)
Why do you think that would be any more helpful than the fact that you can actually SEE what URL the link you hit leads you to?
People don't care about security. And why should they, it is not their job!
My pet peeve with security in most companies is that the CSO's trying to take the easy way out: Shifting the burden of security on his workers. Need secure access? Hey, no problem, we'll create ludicrous password requirements (like, say, at least 20 characters, with numbers, special characters and a few letters from languages that have been forgotten for 200 years at least sprinkled across, for starters 'til I have time to ponder something REALLY "secure"). And no writing down! How you should remember that gobbelygoo? Not my problem!
That's got nothing to do with increasing security. That's blame shifting. Nothing else. Any CISO who spends more than 10 seconds pondering it should realize that such a "security solution" opens a completely different and far more troublesome can of worms. And I dare imagine that most of them know that, but prefer to play the blame shifting game to actually solving the underlying problem. It is easier, more convenient and of course cheaper. But now the worker has one headache more, especially one headache that has NOTHING to do with his actual work, that weighs him down, that causes him more workload and doesn't help him at all.
So it's no wonder IT security is seen like some kind of Gestapo and Stasi rolled into one.
Dear fellow CISOs: Your job isn't to make life harder for your staff. Your job is to take that problem AWAY from them. Perfect security is not achieved when nobody can do jack anymore 'cause they're busy jumping your security hoops. Perfect security is security that CANNOT be broken by staff because staff has very little if any impact on it. In a perfectly secure corporate world, security is fully transparent to the worker and he does not even NOTICE its presence (unless he tries to do something that breaks company rules or law, of course).
You can of course start to train your workers about security. Forget it. Bruce Schneier has a very good essay about it and he said it far better than I possibly could [schneier.com]. In a nutshell: When a worker faced the choice between doing what he wants to do (his job, chat, fool around, goof off...) and upholding security, doing what he wants always wins.
And who blames him? If he jumps the myriad of hoops presented to him by security, he wastes time and gets reprimanded for slacking. If he kicks security out the door, in 99 out of 100 times nothing bad will happen because the caller claiming to be Bob from IT Support was actually Bob from IT Support and not Alec from IT SecAuditing.
Of course, I'm fairly sure the CISO presented him a fully blown sheet of dos and don'ts when someone from IT calls, verify the caller's ID, call back, ask for the supersecret password du jour, whatever. That takes TIME. Time the worker does NOT have. Instead he simply hands out the information, because 99 out of 100 times that's the right thing to do.
How to solve that? By eliminating the need for Bob to call in the first place. I cannot think of any situation where Bob actually has to call and ask for sensitive info. And if he does, it's time to call the CISO. Not to get Bob into trouble, but to find out why he had to call and eliminate the need. Not to mention of course that someone might have tried to siphon information and that's something your CISO should know about anyway.
Of course, you cannot eliminate human interaction with secure and sensitive matters entirely. That's an unfortunate reality. But you can eliminate the need for untrained personnel to do it! Every halfway decently sized company has an IT department or at least some kind of staff that does the "IT stuff". And these are the people that you actually CAN train. Because they already have to deal with the matter anyway, and they are also the ones that will most
Re:Caller ID (Score:4, Insightful)
You danced around the edge of it but missed the real issue. The real issue is the fact that the worker is seen as a slacker if they take the time to do things securely. If security isn't a mandate from the CEO and pushed down and invested in hard by the entire management organization, then it won't work. Period. Security has to be everyone's job to work well. That said, it also doesn't have to be (and can't be) overly burdonsome, so much of what you said is still accurate.
The real key is that users must have the support of management to take the time it takes to be secure and processes must make sense so that users see the benefit and the fact that their managers support the process. If you don't have that, they are going to do what it takes to please there manager, not the IT Department, because that is their job.