Hackers succeed 99 per cent of the time when they use human weakness as a tool for breaking into corporate systems, a security expert said Monday.
Former hacker-turned-security consultant Kevin Mitnick told listeners at a recent Webcast over Radiodaddy.com that the human element is one of the greatest vulnerabilities of companies today.
In his book, The Art of Deception: Controlling the Human Element of Security, Mitnick cited the human factor as security’s “weakest link.”
Founder of Mitnick Security Consulting LLC, the infamous former hacker conducts social engineering prevention seminars worldwide, including Toronto last March for his two-day security certification workshop. Social engineering occurs when hackers prey on people’s weaknesses to accomplish their criminal intentions.
Mitnick was previously the FBI’s most wanted cyber criminal. After his capture and five-year prison sentence, he went straight and devoted his time as a security consultant.
While no amount of technology can defend companies against social engineers, there are ways to mitigate the risks, according to Marcus Shields, enterprise product manager for Toronto-based Soltrus Inc., a Canadian affiliate of VeriSign Inc., which provides digital trust services.
“(Social engineering) leverages a long list of human characteristics,” Shields said, adding that because some of these traits are innate and are just “not going to go away”, social engineers will continue to exploit them.
He said a good way of reducing the risk is by “establishing a culture” within the company that involves employee education on security policies and procedures.
Companies should proactively orient their employees toward the notion that “questioning” is part of the security process.
“If somebody questions your access or why you are doing something, don’t take it personally. That is just everybody doing their part of the job,” Shields said, adding that promoting a culture shift within an organization may not be as easy as it sounds.
That is because people are not generally confrontational, and questioning others about what they are up to is not a normal way of interacting with people, said Shields.
He cited a recent incident that involved a traditional form of hacking that was enabled by social engineering. The scheme started with a purchase of a uniform in order for schemers to act as an elevator service repairmen. After introducing themselves with fake identities, the intruders went inside the target company’s elevator shaft and found one of its main network cables. By installing a wireless access point, the hackers were able to get real-time information from traffic going through the company network.
In this case, the hackers initially established a level of trust by wearing fake uniforms, which was apparently enough for them to gain access into the building and perform their criminal act, Shields said.
“(Suppose) somebody walks in and says ‘I am Joe Smith, new system administrator, could you give me your username and password?’ Assuming that he can provide some kind of halfway credible evidence, [people] are more likely to agree to that kind of request,” he said.
Lack of adequate investment in human resources is one factor that could fuel social engineering attacks, the Soltrus manager said.
He cited a study conducted around U.S. airport security that found security companies contracted by airports employed people with low wages and gave those employees minimum training. Because of this, security personnel tend to perform their duties in “parrot fashion”. “[The employees] had no ability to think creatively and that was because the security firms were making the absolute minimum investment they could in their human resources,” Shields said.
The study was conducted by the U.S. General Accounting Office (GAO), which investigated the state of airport security following the 911 attacks in September 2001. GAO cited a 100 per cent annual turnover rate of security screening personnel, blaming low wages.
This pales in comparison with how their counterparts in Israel are regarded, Shield said. Israeli security personnel are “highly paid and highly trained to think creatively, and to think like the enemy, not just to read from a book.”
As for social engineers, he said, this is another human element that can be exploited.
As technology continues to innovate ways to raise the level of corporate security, more hackers will turn to social engineering tactics, Shields said. “Intruders are not only ruthless, they’re very inventive. I believe you are going to see more and more social engineering attacks because there is really no technological solution to it.”
Related links:
From ‘bragging rights” to “greed”: motive for security attacks changing, says expert
Security is not technology: CEO
