UNIVERSITY OF WALES NEWPORT MSc. Computing
COM PUT ER NET WO RK (CS C13 07)
REFLECTIVE ESSAY ON
THE ART OF DECEPTION (Controlling the Human Element of Security) Kelvin D. Mitnick & William L. Simon Writt en By
Ibrahim Abaker Targio
DATE SUBMITTED: May 11, 2009 RECEIVED BY: Mr. Christopher Lim (Course Lecturer)
INTRODUCTION How fragile can an organization be? This was a question that was put to me sometimes ago by one of my advanced colleagues. It sounded funny and confusing. Is an organization really fragile? If so, in what context is it fragile? These are questions I kept asking myself until recently when I took my Masters course in Science Computing. During the course of my Masters of Science Computing programme, I was thought about Network and organizational Security, and as the course went detailed, I finally found answers to my long puzzled questions. Of course an organization might be truly fragile in the context of security by not having the necessary and right security policies to guide the operations of the organization. Perhaps having an ignorant perception that nobody is interested about how an organization is run and managed. Of a truth, no matter how small an organization maybe, there is someone or people out there that envies and perhaps jealousies how successful the organization is. If given the opportunity, this person or set of people wants to bring the company down or take it out of business. These sets of people are what Kelvin D. Mitnick and William L. Simon (2002), called Social Engineers. Kelvin D. Mitnick and William L. Simon authored the book “The Art of Deception: Controlling the Human Element of Security”. During the course of my Masters Programme I was fortunate to read this eye-opening and interesting work piece. A well detailed and analytical explanation is give about the profession called Social Engineering and those that are involved in the practice, while and how they carry out their operations. In this book, Kelvin D. Mitnick and William L. Simon (2002, p.3) narrowed down to the fact that “Humans are security’s weakest link” MY INITIAL UNDERSTANDING OF ORGANIZATIONAL SECURITY To me all that matters was the hardware infrastructure, as a matter of fact I so-much admired any organization that parades the very latest and sophisticated Network hardware infrastructures such as Intrusion Detection Systems, Intrusion Prevention Systems, Firewalls, Routers Switches, etc. and having the very best competent hands that manages them. It sound so much to me that the security of such system is very tight. It is so amazing for me to now understand that I was only seeing security from only one angle, which is the infrastructural angle, and leaving the human loop-hole or weakness behind.
MY EXPERIENCE Prior to my learning about Network Security, I had never thought that there are people out there who could illegally gain access to organizational network by using some tricky ways to deceive
people or employees to get what they needed. When I was working as a trainer in Capital Hospital in my country, I found out that most of the employees do not have a comprehensive knowledge about how to fully operate a computer. One of the Secretaries of the Chief Medical Consultant had the responsibility to keep some sensitive medical data, not to give it to anybody who does not have permission to access it, but because she was not well trained about the confidentiality of corporate documents and systems, she simply asked for my assistance to change the password to her system. Knowing that I definitely do not have the permission to logon into her system, I demanded her to give me her current password, as well as the new password she wanted to use for the system. I was glad to render this assistance to her without having any ulterior motive. By this time I had never heard of the word Social Engineering nor Social Engineer, not to talk of how they operate. It is so obvious that if this assistance was rendered by a Social Engineer then a big security loop-hole would have been left for him to strike from a remote location, well this is on the condition that he has a particular interest in the organization. MY UNDERSTANDING AS I READ THE BOOK Social Engineering is defined as an act of tricking a person to get sensitive information rather than breaking into a system. Kevin D. Mitnick used to be a social engineer and in his book he describe in detail the ways that social engineers can quickly gain trust and then extract increasingly valuable information out of company employees, usually over the phone or some piece of papers that is throw away by some employees . Social Engineers see the weakness in employee, and this is the wiliness of people or employees to render help or assistance to their fellow employee without adequate confirmation of the socalled fellow employee’s status. Even when it is well spelt out that a particular document or information is classified or confidential, they use sympathy and assistance to give out this information to the other unconfirmed person through a phone conversation. This is one of the greatest weapons of the Social Engineer, and for many years it has proved successful. I have come to realize that the nonchalance and “I don’t care” attitude nature of employees towards their duty has really made Social Engineering attacks much more successful. For instance, writing a systems password on the departmental notice board, on the monitor screen of pasting it under the keyboard. This is truly a bad practice and must be stopped if truly the impact of Social Engineers has to be avoided. Social Engineers are aware of all these weakness, and so when they present themselves as legitimate personnel in an organization, they already know where to look out to get the password they are looking for. Most people know that they should not give out passwords to strangers, but they are not at all concerned about giving out names, e-mail or telephone extensions to those same strangers. A Social Engineering can use such seemingly harmless bit of information to gain the trust of another employee at the same company or organization, and then use this piece of this information to pretend like he is one of them, until employees are handing out sensitive information to a total stranger over the phone simply because he sounds like one of them.
It takes more than just having the latest and sophisticated network infrastructure to stop a Social Engineer, instead additional emphasizes should be placed on the vulnerability of Human weakness when it comes to security issues and hence spell out adequate and functional policies to take care of this human-loop holes by enlightening and educating them about the existence of Social Engineers and how they operate. When this is done then to a reasonable extent, an organization can be sure of a reasonable level of security, bearing in mind that hundred percent (100%) security can never be achieved. The book is full of brief stories that serve to demonstrate how different types of social engineering attack play out. I have to admit that, at first while I was reading the stories in this book, I muttering to myself that there was no way that real employees would behave as described, but the more I thought about it, the more examples I could think of in real life where people had been more than obliging over the phone, despite not knowing me. MY PRESENT VIEW ABOUT SECURITY At this level I can say now that for an organizations security to be tight, a lot more that just Network Security hardware’s are needed to secure the parameters of the organization. While Network Security hardware’s secure the organizational hardware ends, Management Security Policies should secure the human and man-powered end it security. To this end it is my opinion that organizations should setup a body to look into issues related or relating to Social Engineering and Social Engineering attacks. This body should be given the autonomous power to draft out Management Security Policies that caters for the human weakness. They should also be responsible for organizing, coordinating and carrying out training and awareness as regards matters relating to Social Engineering and its likes. I recommend that this autonomous body should address their duties to the following recommendation below: •
All members of management must agree to the policies and understand the need to properly prove their identities when making requests for passwords, etc.
•
The policies must be disseminated to all users of the network, with education and training provided as to why compliance is essential.
•
There should be explicitly defined consequences for violating the policies.
Your security policies should be specific and should address such issues as: •
Strong password policies: minimum length, complexity requirements, requirements to change passwords at specified intervals, prohibition on dictionary words, easily guessed numbers such as birthdates and social security numbers, etc., prohibitions on writing down passwords.
•
Prohibitions against disclosing passwords, to whom (if anyone) passwords can be disclosed and under what circumstances, procedure to follow if someone requests disclosure of passwords.
•
Requirement that users log off or use password protected screensavers when away from the computer, cautionary instructions on ensuring that no one is watching when you type in logon information, etc.
•
Physical security measures to prevent visitors and outside contractors from accessing systems to place key loggers, etc.
•
Procedure for verifying identity of users to IT department and IT personnel to users (secret PINs, callback procedures, etc.).
•
Policies governing destruction (shredding, incineration, etc.) of paperwork, disks and other media that hold information a hacker could use to breach security.
Windows Security (2009) If all these points are fundamentally followed am quite optimistic that an organization should be secure enough to avoid the successful strike of Social Engineers
REFERENCES • • •
Kelvin D, M, and William L, S, 2002, Art of Deception (Controlling the Human Element of Security), 1st edn, Wiley Publishing Inc, Indianapolis, Indiana, USA. Windows Security 2009, How to defend against Social Engineers,. Viewed May 7, 2009 from; http://www.windowsecurity.com/articles/Social_Engineers.html Security Focus 2009, Common intrusion tactics and strategies for prevention, viewed May 7, 2009 from; http://www.securityfocus.com/infocus/1533.