Most IT Managers work hard to patch systems and applications, making sure the latest high risk security vulnerabilities are closed off. This is great, but it is critical not to forget social engineering vulnerabilities. In fact many computer hacks have a major social engineering component. Law firms are built on trust and are particularly vulnerable to this type of attack.
I was reminded of these vulnerabilities through recent local and national news headlines. First was the August 1 conviction in Nashville, TN of Josh Holley. Holly entered a plea of guilty to possession of stolen credit card numbers. But he first gained notoriety by hacking Miley Cyrus’ MySpace and gmail accounts. How? By social engineering a MySpace administrative worker. Then there was the conviction in Knoxville, TN of David Kernell last November for hacking into Sarah Palin’s email account. How did he do this? Simply by resetting her Yahoo password, using guessed answers to the security questions. His case is on appeal; I’ll be curious to see what the 6th Circuit decides. I’m anticipating more hacking in the upcoming national election.
These social engineering techniques are described in great detail in Kevin Mitnick’s new book: Ghost in the Wires (2011). I don’t like paying a convicted felon, but this book is a good education and I recommend it for security managers. Kevin was the master of social engineering and isn’t hesitant to describe all his tricks. These include reconnaissance (now easy for anyone to do using Google), tailgating, impersonating insiders, dumpster diving and many others. His most effective technique was to impersonate inside staff, when communicating with other inside staff. With a little background information, this method worked repeatedly.
If you don’t take steps to mitigate social engineering methods in your organization, you are leaving open big security holes. Technology won’t close those holes. One step is to include this topic in your awareness training. You should include details of real attacks, not just generalities. A second method is to include social engineering when conducting outside penetration testing. The results will help drive home the message that, despite all our security technology, it can still be easy for attackers to break in.