I’m just about finished with my second reading of Kevin Mitnick’s The Art of Deception. Mitnick is most famous for being a hacker, cyber thief, and for a while, “America’s Most Wanted Computer Outlaw.” The basic premise is that you can put all the electronic safeguards in place that you want (firewalls and encryption and passwords) but the human element can still be manipulated by unscrupulous attackers. Mitnick calls this “social engineering” and the book is full of examples of authorized people opening locked doors, giving out passwords, and changing codes just because someone asks them to do it. His book has two major parts – the front, where he describes and disects a variety of scams and cons (very educational!!) and the last chapter that includes a sample corporate security policy.
As Kevin Mitnick says, “The truth is that there is no technology in the world that can prevent a social engineering attack.” This is very much what I learned in my military training too – there is no such thing as 100% secure communication. One of my jobs was to do occasional operational security checks, just to prove this very point.
So what can we do? Training and awareness are two big steps forward. A couple of useful resources:
- The recent release of a new ISO standard (number 17799 if you follow these things!) for information security. This is actually a revision of an older standard, but it’s rewritten and expanded.
- There’s also an open source security standard at ISECOM (the Institute for Security and Open Methodologies.
- The new show on Discovery Channel called “It Takes a Thief” where a guy breaks into people’s homes (with their permission) to highlight how insecure most people’s homes really are. People get lulled into a false sense of security because they have a dog or because they live in a “nice” neighborhood. They do stupid things like leave their keys in their ignition when the car sits in the driveway or install an alarm system but leave it off because of their pets.
In a related topic, a couple of recent news articles (like this one in the New York Times) have described issues where someone posts something to a public forum (like Myspace or Facebook) and then is surprised when someone actually reads what they wrote. For example, teenagers post about their underage drinking, and then are surprised when their parents and/or the police call them on it. Well, DUH! A public forum is just that… public, not private! And if they don’t understand the difference, they shouldn’t be posting anything.