The Mitnick attack. The 10 attack. Social Engineering. Each of these emphasize how readily people part with valuable information to someone posing as an IT staffer, a very attractive member of the opposite sex, or someone friendly. You may now add candy bars and women…
No matter how you slice it, the weakest point in any security program ends up being the end user. User training seems to work with frequency of message, but without hearing the importance of security it seems quickly forgotten.
That is of course, unless the message starts at the top with a strong corporate policy, well understood consequences, and swift consistent enforcement. During my security training (I believe my CISSP), the instructor shared an example of a large, Canadian company with a zero-tolerance policy toward password disclosure. A Sr. V.P. within the company did just that with his secretary. During an audit, the IT staff discovered the VP logged in while on travel in 2 separate places, checking email. The VP was immediately terminated, the secretary put on probation.
This information trickery is the same idea as pre-texting in the privacy world . A caller (typically) phones a target under some false pretext, such as a survey or sweepstakes winnings. After ‘verifying’ enough publicly available information, such as name, street address, phone number, additional information is provided incorrectly or incompletely, typically date of birth, mother’s maiden name, bank where winnings may be deposited or social security number to report the winnings to the IRS.
Once armed with this information, the assailant calls in to the bank after ‘losing’ their checkbook, or simply requesting a change of address. From there, enough information is in in hand to (hopefully only) clear out the checking account, or continue with a complete identity theft. Banks and retail merchants are recognizing this trend and are putting further and further measures in place to protect their customers.
Security is one of the five domains integral to the Certified Information Privacy Professional (CIPP) and for good reason. The chocolate and the sweepstakes winner are the same problem, and mitigated through the same policy and training. Now if we could just convince the user populous – if it seems to good to be true – it probably is.