Have you seen those status updates in Facebook?

"PLEASE put this on your status if you know someone (or are related to someone) who has been EATEN BY PANDAS. Pandas are nearly unstoppable and, in case you didn't know, they can also breathe fire. 93% of people won't copy and paste this, because they have already been eaten by pandas. 6% of people are sitting in their showers armed with fire extinguishers, and the remaining 1% are awesome and will repost."

In any system there is a weak link, and in IT systems the weak links are mostly you and me.  That is to say: the Human Factor.

Security is as smart as the lowest common dominator, and if that means that your receptionist is willing to divulge information about your company to anyone who asks, does it really matter that you have top-of-the-range IT security systems in place?

Does it matter if you have the best physical security in place, the best firewalls and IPS, if someone calls in and is able to sweet talk information out of someone in your company>

The 2010 Verizon Data Breach Investigation Report (http://www.verizonbusiness.com/Products/security/dbir/) is based on a study conducted by the Verizon RISK Team in partnership with the U.S. Secret Service.

There are many interesting details in this report, which is something that I read every year when it is published. Among the interesting items this year was this: of the 900+ incidents that have resulted in a cumulative 900 million-odd records being compromised during the six year history of the report, about 48% involved insiders, and 28% stemmed from social engineering attacks.

The data that was lost as a result of insider involvement were major leaks, and were usually perpetrated by an employee gone rogue.  They made major headlines in some cases.

That is not to say that there is a lot of information that can be inferred by simply speaking to someone in a target company. Information garnered can be detailed or incidental, but it all adds up.

For example, I call a user and pretend to be from the helpdesk to gather details on what version of Windows is in use, whether the user has changed his or her password, oh wait I can change that for you to a longer one, what is your current password etc.

You get the idea.

The same techniques of such an exercise could also be a phishing attempt for privileged information that could be used by competitors, or could affect a company’s stock price.

I can’t think of a more effective way of mitigating threats of this sort than through user education and good security policies.  Policies such as not allowing employees to speak to anyone about new products. Education that tells them that calls that seek sensitive information are possible, common, and that it’s OK to question callers that are seeking information of this nature, so hang up and call the help desk.

It is through continual user education that we can overcome inadvertent leaks of information to outsiders.

 

Technorati Tags: , , ,