Social Engineering.
“it is much easier to trick someone into giving a password for a system than to spend the effort to hack into the system” Devin Mitnick reformed computer criminal turned security consultant.
The hacker appears to be someone, in an official capacity, who he is not. The two people in most cases never meet each other.
It starts with Pretexting. This is the set up where some plausible story is given as to why the sensitive information is needed. “We need your login in and id so we can reset them”.
“No ones told me this was going to happen?” you ask. “We may have some suspicious activity here and need your help to check it out” they reply.
This technique has worked many times and it seems the higher up in the organization you go the better it works.
In a study first completed in 2003 and later repeated 90% of office, workers gave their password on a survey in exchange for a cheap pen.
Bottom line.
Never give out sensitive information to anyone who doesn’t have a “need to know” This is a tenant common when working in a government run security environment.
Say a Friendly co-worker asks for your id and password. Why do you need it, you ask. Someone from the home office needs it. In this case, in the absence of a company memo I would be suspicious of some social engineering taking place.
Therefore, the threat may come in the form of personal contact or more commonly from an email or phone call.
No comments:
Post a Comment