Humans Still Weakest Security Link
June 10, 2004

WASHINGTON -- Recognizing that humans are the weakest link in any security chain is a staple of any IT security gathering, and the issue is as relevant today as ever, a Gartner analyst said Tuesday afternoon at the research firm's 10th Annual IT Security Summit.

In fact, according to Rich Mogull, Gartner's director of information security, social engineering -- hacker-speak for compromising security systems by human manipulation rather than technology - is currently ''epidemic'', and the enterprise is vulnerable to surprisingly simple tricks and ruses as never before.

''Social engineering is so powerful it can completely circumvent all of your security if done right,'' Mogull said.

Criminal hackers, for instance, know it is often easier to pick up the telephone, pose as someone in the security department and ask an employee for their password. Mogull says it happens more times than companies are willing to admit. Even simpler, and just as common as ever, is a visitor walking through a company and collecting passwords written on Post-Its.

''We are seeing some of the worst social engineering attacks we've ever seen,'' Mogull said. ''Technology is just the vector. Social engineering is done over technology but not by technology. The best firewall in the world is useless if the person behind it gives away the access codes.''

Mogull said almost all cyber attacks begin with research. Hackers either probe the system with stolen passwords or they simply manipulate employees who think they are being helpful. The new twist is using camera cell phones to photograph documents, organizational charts and telephone lists.

The photographer can be an on-site visitor, someone posing as a delivery person or even a member of the cleaning crew.

''A criminal can get an awful lot of information about your company by simply having access to your organizational chart,'' he said. ''A simple click and the criminal knows who works in your IT department. Now they have a target.''

Mogull also cautioned that companies should carefully monitor publicly available information. ''With a little research, incredible amounts of information are available on nearly every person or enterprise,'' he said.

Another new angle, Mogull said, is what he calls ''reverse social engineering''. This is the practice of using technology, such as camera phones or laptops, to gain access and then using that access to dupe ''helpless'' users out of sensitive information.

''Attacks can target the physical world or the electronic world directly,'' he said. ''Attacks in one world can be used as a basis to attack the other.''

Solutions are as old as the problem, Mogull said. This begins with building a security culture within the enterprise -- carefully screening employees and ongoing users -- as well as administration and management education. ''It starts with policy and a structure that actually manages security,'' he said, adding that, far too often, a company's physical security force is left out of the loop.

''Most of the physical security you all have in your organizations is terrible,'' Mogull said. ''I know this because I visit a lot of Gartner clients. I always go to the front desk, sign in and get a visitor pass. What do I do? I put it in my pocket and walk around. Maybe 10 percent of the time I get asked about it. ''It always begins with the culture,'' he said. ''I can't stress that enough. You want to turn them into a security asset not a security liability. They should know if someone walks in with a USB drive. We don't use devices like that.''

The advent of wireless devices puts even more pressure on the enterprise to open communication channels between the IT security department and physical security. Mogull said the physical security team should be aware of suspicious activity, such as unfamiliar people using laptops in the public areas of a company and, even more suspiciously, strangers sitting in a car in the parking lot using laptops.

This article was first published on InternetNews.com.