Saturday, March 05, 2005

Your security (and your company's reputation) rests in the hands of your employees

I've blogged on this topic before (Better develop a "culture of privacy", Edmonton cops investigated for misusing law enforcement databases and Sorry, but implementing privacy laws may upset some customers.), but it bears repeating again and again and again.

You can have the right privacy policies. You can harden your network and your systems to ward off hackers. All this effort will be lost if your employees are not sesitized to think about privacy and security all the time. Train them to think about how they hold business and customer information in trust ... and to trust their instincts if anything feels weird.

CNet is reporting on a presentation given by Kevin Mitnick who knows first hand how easily exploited employees can be.

Mitnick: Security depends on workers' habits CNET

"Famed ex-hacker Kevin Mitnick is warning against security strategies that focus on technology. Rather, teaching your staff to say no will help keep your network secure, he says.


Many companies invest heavily in technologies to protect their networks, but Mitnick was quick to point out that even the tightest technological barriers never stopped him. Rather, some carefully planned social engineering--or even a bit of dumpster diving in one's spare time--can often be far more effective at penetrating the weakest security link at most companies: their people.

"What you can find in the trash is simply amazing," Mitnick said. "People throw out notes, drafts of letters, printouts of source code, printouts of project documentation they're working on. In some cases, they even write down passwords and access information, or calendars that list every person that person has talked to or met with."

This information provides invaluable assistance to hackers keen to worming their way into a company by, say, impersonating an employee and calling the internal help desk, or dropping in and pretending to be a business associate. Because people hate to say no, even when they're suspicious of a well-presented stranger, Mitnick says, smooth talking has gotten many a hacker far closer to a target company's network than brute-force technological attacks.


The solution to such security vulnerabilities is easy to understand but often hard to implement: Develop clear security policies for issues such as treatment of strangers, handling of information and access to physical facilities by visitors. Teach employees to fall back on those policies when they're in suspicious circumstances rather than trying to ad-lib their response or give in to their natural inclination to accommodate the hacker's requests.

Even a simple request for contact details, so that a company employee might call back the person requesting assistance, can be enough to make many hackers turn tail and run.

"We can't expect our employees to be human lie detectors," Mitnick said. "One of the most difficult challenges in corporate cultures is getting people to modify their politeness norms.

"Social psychology has found that people should generally pay attention to their own discomfort. If something doesn't feel right, or it's nagging at their gut, they'd better check it out. They're not always going to remember a security policy, but what you want is to come up with some very simple protocols that will trigger employees to refer to security policy. The only people who are going to object to this are the bad guys."

David Braue reports for ZDNet Australia."

No comments: