Free The Art of Deception: Controlling the Human Element of Security by Kevin D. Mitnick, William L. Simon, Steve Wozniak Page B
sensitive customer information, because he may not actually work for the company at all.
MITNICK MESSAGE Everyone should be aware of the social engineer's modus operandi: Gather as much information about the target as possible, and use that information to gain trust as an insider. Then go for the jugular!
Trust Wisely It's not just the people who have access to clearly sensitive information - the software engineers, the folks in R&D, and so on - who need to be on the defensive against intrusions. Almost everyone in your organization needs training to protect the enterprise from industrial spies and information thieves.
Laying the groundwork for this should begin with a survey of enterprise- wide information assets, looking separately at each sensitive, critical, or valuable asset, and asking what methods an attacker might use to compromise those assets through the use of social engineering tactics. Appropriate training for people who have trusted access to such information should be designed around the answers to these questions.
When anyone you don't know personally requests some information or material, or asks you to perform any task on your computer, have your employees ask themselves some. questions. If I gave this information to my worst enemy, could it be used to injure me or my company? Do I completely understand the potential effect of the commands I am being asked to enter into my computer? We don't want to go through life being suspicious of every new person we encounter. Yet the more trusting we are, the more likely that the next social engineer to arrive in town will be able to deceive us into giving up our company's proprietary information.
What Belongs on Your Intranet? Parts of your intranet may be open to the outside world, other parts restricted to employees. How careful is your company in making sure sensitive information isn't posted where it's accessible to audiences you meant to protect it from? When is the last time anyone in your organization checked to see if any sensitive information on your company's intranet had inadvertently been made available through the public-access areas of your Web site?
If your company has implemented proxy servers as intermediaries to protect the enterprise from electronic security threats, have those servers been checked recently to be sure they're configured properly?
In fact, has anyone ever checked the security of your intranet?
Chapter 5 "Let Me Help You"
We're all grateful when we're plagued by a problem and somebody with the knowledge, skill, and willingness comes along offering to lend us a hand. The social engineer understands that, and knows how to take advantage of it.
He also knows how to cause a problem for you.., then make you grateful when he resolves the problem.., and finally play on your gratitude to extract some information or a small favor from you that will leave your company (or maybe you, individually) very much worse off for the encounter. And you may never even know you've lost something of value. Here are some typical ways that social engineers step forward to "help."
THE NETWORK OUTAGE Day/Time: Monday, February 12, 3:25 p.m. Place: Offices of Starboard Shipbuilding
The First Call: Tom Delay "Tom DeLay, Bookkeeping." "Hey, Tom, this is Eddie Martin from the Help Desk. We're trying to troubleshoot a computer networking problem. Do you know if anyone in your group has been having trouble staying on line?" "Uh, not that I know of." "And you're not having any problems yourself." "No, seems fine." "Okay, that's good. Listen, we're calling people who might be affected 'cause itLs important you let us know right away if you lose your network connection." "That doesn't sound good. You think it might happen?" "We hope not, but you'll call if it does, right?" "You better believe it." "Listen, sounds like having your network connection go down would be a problem for you..." "You bet it would." "... so while we're working on this, let me
MITNICK MESSAGE Everyone should be aware of the social engineer's modus operandi: Gather as much information about the target as possible, and use that information to gain trust as an insider. Then go for the jugular!
Trust Wisely It's not just the people who have access to clearly sensitive information - the software engineers, the folks in R&D, and so on - who need to be on the defensive against intrusions. Almost everyone in your organization needs training to protect the enterprise from industrial spies and information thieves.
Laying the groundwork for this should begin with a survey of enterprise- wide information assets, looking separately at each sensitive, critical, or valuable asset, and asking what methods an attacker might use to compromise those assets through the use of social engineering tactics. Appropriate training for people who have trusted access to such information should be designed around the answers to these questions.
When anyone you don't know personally requests some information or material, or asks you to perform any task on your computer, have your employees ask themselves some. questions. If I gave this information to my worst enemy, could it be used to injure me or my company? Do I completely understand the potential effect of the commands I am being asked to enter into my computer? We don't want to go through life being suspicious of every new person we encounter. Yet the more trusting we are, the more likely that the next social engineer to arrive in town will be able to deceive us into giving up our company's proprietary information.
What Belongs on Your Intranet? Parts of your intranet may be open to the outside world, other parts restricted to employees. How careful is your company in making sure sensitive information isn't posted where it's accessible to audiences you meant to protect it from? When is the last time anyone in your organization checked to see if any sensitive information on your company's intranet had inadvertently been made available through the public-access areas of your Web site?
If your company has implemented proxy servers as intermediaries to protect the enterprise from electronic security threats, have those servers been checked recently to be sure they're configured properly?
In fact, has anyone ever checked the security of your intranet?
Chapter 5 "Let Me Help You"
We're all grateful when we're plagued by a problem and somebody with the knowledge, skill, and willingness comes along offering to lend us a hand. The social engineer understands that, and knows how to take advantage of it.
He also knows how to cause a problem for you.., then make you grateful when he resolves the problem.., and finally play on your gratitude to extract some information or a small favor from you that will leave your company (or maybe you, individually) very much worse off for the encounter. And you may never even know you've lost something of value. Here are some typical ways that social engineers step forward to "help."
THE NETWORK OUTAGE Day/Time: Monday, February 12, 3:25 p.m. Place: Offices of Starboard Shipbuilding
The First Call: Tom Delay "Tom DeLay, Bookkeeping." "Hey, Tom, this is Eddie Martin from the Help Desk. We're trying to troubleshoot a computer networking problem. Do you know if anyone in your group has been having trouble staying on line?" "Uh, not that I know of." "And you're not having any problems yourself." "No, seems fine." "Okay, that's good. Listen, we're calling people who might be affected 'cause itLs important you let us know right away if you lose your network connection." "That doesn't sound good. You think it might happen?" "We hope not, but you'll call if it does, right?" "You better believe it." "Listen, sounds like having your network connection go down would be a problem for you..." "You bet it would." "... so while we're working on this, let me
Similar Books
You Know Who Killed Me
Loren D. Estleman
A Dance with Dragons: A Song of Ice and Fire: Book Five
George R. R. Martin
Capturing A Highland Knight
F.S. Hyman
Limit of Vision
Linda Nagata
Love Beat
Flora Dain
Monstrous Regiment
Terry Pratchett
The Island
Jen Minkman
Sister Carrie (Barnes & Noble Classics Series)
Theodore Dreiser
