I l @ ve RuBoard |
Technological solutions can address only technological problems. Everything else requires policies, procedures, practices, and education. People need to understand the importance of security in their day-to-day life and they need regular reminders through an awareness program. People are social animals needing to communicate with others. They want to brag about their accomplishments and complain about their troubles, especially with those who are involved in similar pursuits, even if they are competitors . All the computer security in the world will not help if the information that these measures are protecting is being gathered from people. People are generally more willing to share information than machines are. PublishersIndividuals in the organization need to be kept aware of how the information that they make public may affect the organization. Today, the posting of resumes on the Internet has become common. These are full of useful information, not only about the individual, but also the systems he or she has been working with, the type of work being done, and more. Personal websites of employees boast of achievements and complain about the organization's shortcomings. All is valuable information to an attacker. EavesdroppingHackers take every opportunity they can to look over the shoulder of someone who is entering "secret" information, whether it is a phone card number, an ATM PIN number, or a password for a computer system. Crowded areas are a prime location for these types of activities. All of us need education about the handling of information. You need to take the same care with company information as you would with personal information. You must be aware of your surroundings and pay attention to those around you. There are also high-tech methods of eavesdropping. It has even been demonstrated that a laser can be bounced off a window and vibrations caused by the sounds inside the building can be collected and turned back into those sounds. The cost of high-tech surveillance has made it available only to the professional information gatherer. But as with all high-tech electronics, falling prices are making it more affordable for a wider audience. As in most other things, security is an economic issue. Security is the process of making it economically unfeasible to compromise the system or information.
SocializingIt has long been said that it is easier to get information by buying someone a drink after work at the local pub than by trying to covertly gather it. Once befriended, people are very likely to talk about what is happening in their life, including office gossip. Why should a hacker steal information when all he has to do is ask for it? This technique requires the hacker to be a sociable person, which many computer hackers are not. However, this is the mainstay of the professional information-gathering industry. Social EngineeringSocial engineering is a confidence game; that is, gaining the confidence of the victim so he or she will give you the information you are requesting. Hackers can accomplish this through a number of methods. They will often start by calling the phone numbers around a modem number to find out what company owns the modem line. Once they identify the company, they will start to work on the employees. A successful social engineer will use both intimidation and preying on people's natural desire to help people who ask for help. He will utilize new employees to get information from them and he will impersonate new employees to get information from help desks and other employees. He can befriend users who have privileges, or he can convince someone that he is a support person and he needs the information to debug a system problem. Much social engineering will go unnoticed, since a hacker will ask one individual only a few specific questions and then move on. These attacks will be numerous inconsequential inquiries that add up to a great wealth of information.
Trojan horses are a type of social engineering via software. Games that request passwords so that others cannot pretend to be you while playing the game will surprisingly often yield login passwords. Another common Trojan horse is the exciting new utility that does something very useful while giving your privileges to the hacker. These are just a few ways that a hacker can abuse the trust a user has put into him or his software. Trusted AdvisorIt is possible that a hacker will know more about the computer system than anyone else, including the system manager. If he is an employee, he has an advantage. He is already trusted, knows the people and the relationships, and can use his knowledge to build relationships with system managers, programmers, and other people who have privileges on the system by helping them with the problems they have with the system. In this manner he will become a trusted advisor, someone to whom these people turn when they need help. To facilitate this assistance, people will often allow him to access the system with their login, thereby giving him access to their privileges. Every employee should be aware of the importance of information security. The lion's share of security incidents are caused by either current or former employees. This is why you must know the mood of your personnel. Most employee hackers are disgruntled employees who will cause trouble of some type; the computer is just a handy tool. Specific employees generally become disgruntled when there is stress in their life, either personal or business- related . However, if the company is going through change which has the employees concerned about layoffs or strikes, then you must be more alert to the possibility of in-house hacking. You must impress upon your users the importance of not sharing logins and passwords. If a user needs special privileges, he should be given a special temporary login specific for the function that he is to do. This is required for accountability. People need to understand the importance of security in their day-to-day life and they need regular reminders through an awareness program. |
I l @ ve RuBoard |