The Art Of Deception By Kevin D,mitnick & William L Simon (reflective Essay)

UNIVERSITY OF WALES NEWPORT MSc. Computing

AD VANC ED C OMP UT ER NE TWOR K (C P13 07)

A REFLECTIVE ESSAY ON

THE ART OF DECPTION BY KEVIN DAVID MITNICK & WILLIAM L SIMON Written

By

Onwuegbuzie Innocent U.

DATE SUBMITTED: MAY 11, 2009 RECEIVED BY: Mr. CHRISTOPHER LIM. (Course Lecturer) 1

INTRODUCTION Organizations has a lot to merry and smile about when they are making success and declaring excess bonus at its Annual General Meeting (AGM) all seems to be going on fine, they attribute their success to the strong security back bone they have with regards to the latest security hardware’s and software’s watching their backs. It is unfortunate to realize that even as they rejoice upon their success, an antagonist referred to in this essay as Social Engineer is right their plotting and strategizing on how to wipe the smile out of their faces. He fervently closes up on them to find the “Slightest Loop-Hole” and lunches his attack at the exact time he feels convenient. Guess what this Security Loop-Hole is? The humans, manning this so-called sophisticated, latest hardware and software security infrastructures.

MY PREVIOUS KNOWLEDGE ABOUT ORGANIZATIONAL SECURITY While I was growing up as an aspiring and ready to break grounds young man, never did I thought that there was any serious need to secure a company’s information, be it confidential, private or public information. I felt that the success of most successful companies lies on how much money they pumped into the business to keep it up and running and how much of dedication and diligence the workers or staff of an organization put to ensure that the aim and goals of the company is achieved. Having heard and read about how some companies winded up and fell out of business, I most at times attribute it to staff embezzlement, bankruptcy, lack of focus and selfishness on the part of whosoever aided the collapse. Even when I made personal researches to what might have lead to the collapse of some of these companies, I only came up with accusing fingers pointed to the incompetent management staff, and perhaps gathered little or no information concerning the company’s Vital Information which I will refer to here as; “The Company’s Source Code”, which entails the secrets of the ways and how the company runs their business and keeping their heads high above the tides, which might have fallen into the wrong hands. In the course of my research I sometimes might come up with lack of maintenance of operational facilities as a major cause of companies collapse, and the management never cares about it. In as much as the money keeps rolling in, it seems to them that they were doing just fine. Right from my early days, most especially when I came to the realization of what a computer was and what one can achieve with it, I immediately fell in love with its discipline although I did not study it as a first degree course, I knew from that first day of my encounter with a computer that this was exactly what I had wanted to study, and as time goes by, I began to build myself in this direction, my interest never left the computing world as I was constantly keeping in touch with its growth, developments and implementations.

MY PAST PERSONAL EXPERIENCE My very first encounter with computer networks and security issues was way back in my third year in the university, where I was fortunate to do my Industrial Training Programme in an Internet Service Provider (ISP) Company. There was this particular incidence that took place that the companys’ network was half-way shut down by virus attack. My Boss and the CEO/owner of the company who was a High-Level IT officer working at Shell Petroleum Development Company (SPDC) in my country Nigeria acted swiftly as soon as he was notified of this security 2

compromise. He isolated the segment of the network that was badly hit by the virus, and then moved the clients that was on that affected channels to another back-up channel were they could keep up with the service of the company without interruption. This was my first experience of network security compromise; it was such an eye opening event for me, this was when I knew about the functionalities of network security devices such as Firewall, Intrusion Detection systems, Routers, Anti-virus programs etc. As I grew in this field I came to realize that for your network to be secured, you need the most sophisticated network security devices and a broader knowledge of how they work and being configured. For me at this point, it sounded that with all these things in place, then “Your network is the most secured network in the world”. Little did I know that even at this level, one is still very vulnerable to network break down and attacks. The study of my Masters of Science Computing gave me the privilege of reading the book titled: The Art of Deception: Controlling the Human Element of Security by Kelvin D, Mitnick and William L, Simon. My eyes were open to the fact that you might have all the sophisticated network security hardware’s and software’s, with up to date operating System Patches and Anti-Virus Updates, but still remain very vulnerable to security compromise to what Kelvin D. Mitnick called Social Engineers.

MY EXPERIENCE AS I READ ALONG The book; Art of Deception: Controlling the Human Element of Security, has truly given me a new dimension of viewing security. An organization might have in place all advanced and sophisticated hardware and software facilities, as well as having very competent hands to operate these facilities but still remain very unsecure to Social Engineers. The question now arises, what is Social Engineering and who is a Social Engineer? As defined by Wikipedia (2009) Social Engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim. A Social Engineer is a person that uses the above defined techniques to achieve his aim or goals. An organization might not really appreciate the gravity of the attack of a Social Engineer until the bomb he has planted explodes. This could lead to winding up of an organization or perhaps threatens the standard of such organization in the global market. Social engineering attacks are increasing in frequency and can be technical or non-technical; both manipulate staff to gain unauthorized information which can then be used to damage the organization or for criminal purposes. Social engineering concentrates on exploiting the weaknesses of people, rather than IT systems or the computer security process. Staff targeted tends to be those who work in customer facing roles, especially IT, help desks, receptionists, security guards, cleaning and catering. Imagine the operational procedures of an organization to be in the freelance hands of a social Engineer, definitely this does not sound good to hear to an organization that fall victim. Social engineers use several avenues of attack. • Via the telephone: this is the most common form of Social Engineering approach usually to the front facing support desk staff to gain their confidence and active support. 3

• Face to face: a targeted member of staff will be approached and manipulated and tricked into giving support or information. • Via email: Phishing are the most common forms of Social Engineering attack via email. Emails are created to look like a legitimate request from a bank or other trusted organization with which you are happy to transact. • By searching through waste/trash bins for personal information: this is called Dumpster Diving or Skimming. It is a key activity in identity theft attacks. Social Engineers search for documents such as credit card statements and invoices and organizational documents to aid their strike. • Web searches, where too much detailed information about staff, departments, products, services and the organization’s key activities is posted on web sites. This is often a very simple open source search for Social Engineers; it assists them in the target acquisition process. • Online, Open Information. Online curricula vitae (CVs) are another useful source of personal information, and some web sites and news groups give details about whom you are and where you work if you have posted that information. To this end it is seen that Social Engineers has so many ways in which they can lunch their attacks, it is obvious that security firewalls, Intrusion Detection Systems, and other security devices are no match to them because one of their most powerful tool is human manipulation. Social Engineers manipulates the personnel’s manning these security devices to gain access into the corporate organization, hence at this juncture it is very pertinent for security experts to broaden their security perspective towards considering the human weakness and devising appropriate measures to checkmate this vulnerable loop hole.

MY CURRENT KNOWLEDGE ABOUT ORGANIZATIONAL SECURITY No doubt I now see things in a different way and a broader spectrum when it comes to network and organizational security. It is not enough for an organization to have all the sophisticated and latest hardware and say it has it all. Network and organizational security goes beyond just hardware’s alone but well and carefully planned Network and Management Security Policies that caters for the human weakness in security issues. Kelvin D, M, and William L, S, (2002, p.7) in his book said “There is a popular saying that a secured system is the one that is turned off. It sounds clever but false: The Pretexter simply talks someone into going into the office and turning that computer on”, once the system is on a Social Engineer uses his Hacking knowledge to gain access into that computer from a distance. Am now of the opinion that for an organization to fully boast of tight and secured system then it has to invest in training its employees against the attack of Social Engineers. This can done by delegating this responsibility to experts on Anti-Social Engineering or perhaps contract it to an Anti-Social Engineering Consulting firm. The entire staff of the organization should be trained, regardless of position and status, as Social Engineers can use any employee as a victim. To this end I will recommend the following: • Train employees/help desk to never give out passwords or other confidential info by phone •

Tight badge security, employee training, and security officers present

•

Don’t type in passwords with anyone else present (or if you must, do it quickly!)

•

All employees should be assigned a PIN specific to help desk support 4

•

Require all guests to be escorted

•

Lock & monitor mail room

•

Keep phone closets, server rooms, etc. locked at all times and keep updated inventory on equipment

•

Control overseas & long-distance calls, trace calls, refuse transfers

•

Keep all trash in secured, monitored areas, shred important data, erase magnetic media

•

Continual awareness of system and network changes, training on password use

•

Mark documents as confidential & require those documents to be locked

•

Keep employees on their toes through continued awareness and training programs

Security Focus (2009)

CONCLUSIONS The consequences of the attack of a Social Engineer are immeasurable compared to embezzlement and money laundry most especially if it leads to the winding up of an organization. Organizations should stop beating their hands on their chest in a way to boast of the extent of security of its system if the only implementation is on hardware’s alone, because as far as the Social Engineer is concern he still remains very porous. The success of every business depends on the commitment of its employees towards their duties. Since Social Engineers have seen “Human factor as security’s weakest link”, as said by Kelvin D, M, and William L, S, (2002, p.3), then employees should be properly and adequately aware of the existence of social engineers and the havoc they can cause the organization if they are allowed to strike. If an organization fails to take all necessary security measures seriously, then smart Social Engineers will take these measures against them instead.

5

REFERENCES • • •

Kelvin D, M, and William L, S, 2002, Art of Deception (Controlling the Human Element of Security), 1st edn, Wiley Publishing Inc, Indianapolis, Indiana, USA. Wikipedia 2009, Social Engineering, Wikipedia: The Free Online Encyclopedia. Viewed April 16, 2009 from; http://en.wikipedia.org/wiki/IPsec. Security Focus 2009, Common intrusion tactics and strategies for prevention, viewed April 16, 2009 from; http://www.securityfocus.com/infocus/1533.

6