Contributed Column

All About IT

The Personal Side of Technology Security

by John Burton, NPI

Vermonters are generally a trusting lot. Many don’t lock their cars or homes and still invite a stranger in when a car has broken down. Some of this may come from needing to rely on one another during the cold winter months and some may just come from our innate faith in human goodness. Unfortunately the world has changed since we connected to the Internet. Along with the many benefits of hyper-connectivity come the drawbacks of “social engineering” attacks.

Surprisingly, today’s biggest computer security threat is not malware, unpatched software, or obsolete firewalls; it could be the behavior of your own staff.

Social engineers are con artists who mislead people to reveal or grant unauthorized access to sensitive information through bypassing physical and/or technical security controls. Social engineers use invented scenarios or impersonation to persuade someone to release information or do something that facilitates unauthorized access.

Social engineering is just a new twist on an old con game played in person, on the phone, or via mail for decades. It can come in the form of a confused person calling to meekly request a password change or someone impersonating an executive demanding immediate access to their account. It may even take the form of a person sifting through the trash. Another common form of social engineering is email phishing scams containing attachments or links from unknown sources.

Common social engineering techniques include:

• Tailgating — holding the door open for someone entering into a secure area

• Shoulder surfing — watching what you type or listening to a conversation

• Baiting — asking seemingly innocuous questions to find legitimate information that builds incremental security facts

• Surveys — survey requests designed to unwittingly disclose sensitive information

• Dumpster diving — searching through trash to obtain improperly destroyed confidential documents

• Unauthorized visitor — posing as an employee, auditor, or maintenance worker

The primary way to thwart social engineering is by raising security awareness — especially for public-facing workers — so they recognize and deal with common attacks. Typical training should include techniques for withholding sensitive information from unauthorized people; how to avoid revealing security details on social network sites, blogs, or email; the risks of interfering with, disabling, or bypassing security controls such as malware protection; ways to identify people behaving suspiciously in or near the office; the importance of not sharing passwords, PIN codes, or encryption keys; admonishment to never email passwords; and how to escort people through sensitive areas.

Methods to prevent attacks hinge on well-written policies based on security best practices. Continued protection results from regular monitoring, auditing, and training.

Many times firewalls and encryption just won’t stop a gifted social engineer from copying your intellectual property, or an irate former employee from taking restricted data. An attacker who wants to break into a system often attacks the weakest link: not operating systems, firewalls, or encryption algorithms, but people. Human weaknesses can be the easiest link to exploit.

Businesses often spend entire budgets on the latest and greatest security products but then forget that some of the most sensitive information is stored right inside their most valuable asset: the minds of their employees.

John Burton is a co-founder of NPI — secure managed voice and data services in South Burlington. www.npi.net.

Index of Contributed Columns

For information on submitting a contributed column see here.