Human error and social engineering are two of the largest information security challenges facing companies today, as Jason Lackey of Cisco Security discovered when he interviewed a former member of the much-talked-about hacker group Anonymous, who goes by the name SparkyBlaze.
In Lackey’s blog post “Life After Anonymous – Interview with a Former Hacker,” he explored SparkyBlaze’s thoughts on the current state of the security industry, honing in on security in the workplace. Here’s what SparkyBlaze had to say:
Information security is a mess… Companies don’t want to spend the time/money on computer security because they don’t think it matters. They don’t encrypt the data nor do they get the right software, hardware and people required to stay secure. They don’t train their staff not to open attachments from people they don’t know. The problem isn’t the software/hardware being used… it is the people using it. You need to teach these companies why they need a good information security policy.
Another information security challenge that SparkyBlaze mentioned in the interview was social engineering, or people who pretend to be someone they are not in order to get privileged information:
In my mind social engineering is the biggest issue today. We have the software/hardware to defend buffer overflows, malware, DDoS and code execution. But what good is that if you can get someone to give you their password or turn off the firewall because you say you are Greg from computer maintenance just doing testing? It all comes down to lies, everyone does it and some people get good at it.
Social engineering raises a lot of security issues in the workplace, as nobody expects that the person on the other end of the phone is trying to trick them into giving up confidential information, such as passwords. This can become especially tricky in larger organizations, because every employee doesn’t work in the same location, nor do they know every person in the company.
Train employees to verify the identity of the person requesting the information. Two techniques you can teach them are:
- Ask verification questions- when someone calls and requests access to a system or a password, ask them a series of questions to help you verify their identity. If an employee can’t verify that the person is who they say they are, tell them to deny the request. This system only works if your company has established a series of questions to ask and has implemented the process throughout the organization.
- Call them back- when someone calls you and requests a password or other type of information, tell them you’ll call them back. Call them back on the number that you have on file for them or that’s posted in the company directory. When you call the person back and they say they never called you, then you know that the persona who made the original call was trying to scam you.