Last year, i wrote a technical article entitled 'Social
Engineering: Penetration Testing the Human Element' to Pentestmag.com which
focused on the process of social engineering assessment using the art of
deception and how easy it could be with simply a smile accompanied by an act of
confidence.
In the book by Kevin Mitnick, 'The art of deception', he
dives deep into that art and shares the tricks he used to deceive people into
giving him vital information. Not only did he succeed into tricking the common
employees, he also managed to trick security administrators, managers, CIOs and
other people holding top position in organizations.
Then again, not many can be as charming, as confident and as
cunning as Kevin be it from tele conversation or face to face meetings. Thats
when hackers use the art in other forms; from cloning a website and hoping
someone fall for it (phishing) to sending malicious links or attachments via
emails and crossing their fingers hoping someone clicks on it.
Earlier this month, KrebsonSecurity reported that the famous
hack and breach at Target could be the result from an email attack, a
malware-laced email phishing attack sent to employees.[1]
These trend of users easily falling prey to social engineering tactics even led
to a vendor suggesting to punish careless employees to reduce security
breaches. [2]
Looking back at the past, the spread of malware such as the
famous 'I love you' virus, the 'Melissa' and the 'Zeus' viruses were all being
spread via invoking the curiosity of humans. A single click. Thats all it
takes. And thanks to this curiosity,
those viruses managed to spread over 50 million computers worldwide. Even
important organizations such as the Pentagon, the CIA and the British Parliament
were not spared. [3]
Employees play a huge role in ensuring the security of the
organizations.
Organizations may have placed the best security mechanism to
block from any external intrusion but if one thing hackers learn from history
is that they have evolved into attacking the human curiosity first because it
is much easier to fool a person than a system. Like i wrote above, one click is
all it takes to bring the organization down to its knees.
To quote the security rockstar Bruce Schenier,
"Amateurs hack systems. Professionals hack people."
References:
No comments:
Post a Comment