Clipboards, Confidence, and Information Security

Monday, September 17, 2012

Tripwire Inc


Article by Dwayne Melacon

I’ve been involved in a lot of discussions over the past few months about “securing the human” with regard to information security.  

As I mentioned recently, I’ve been reading Kevin Mitnick’s book, “Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker,” which I just finished and I highly recommend.

In the book, it was clear that Kevin had decent technical skills but wasn’t the most brilliant coder, the best infosec architect, or anything like that.  He was extremely successful because he was extremely good at social engineering.  

Sure, he exploited technical flaws, but most of his attacks succeeded because he was able to exploit weaknesses in people to gain access to the systems and data he wanted.

A long time ago, I used to experiment with getting into places just for fun.  At the time, I didn’t know there was a name for it – I hadn’t heard of social engineering.  One of the most effective “tricks” I found was to dress in a way that blended in with other people in the environment, and to pick up a clipboard with some papers and a pen on it.  

I’d then walk confidently wherever I wanted to go.  Often, I’d go through hotels, conferences,  convention centers, movie theaters, restaurant kitchens, etc. and just look around to see how far I could get before people challenged me.  You’d be surprised at how well it worked – I know I was.

I used to say that “a clipboard and a confident attitude will get you into most places.”  That’s true for physical access, but what about electronic access?  I’d say it’s harder in some ways because there are passwords, policy checks, etc. but what I recognized from reading Kevin’s book is that a lot of organizations overlook the linkage between the human and electronic infrastructure.  

Sure, we do a lot to try to establish and enforce good password policies, etc. but if people can trick someone into sharing their complex password over the phone it’s “game over.”

How do you teach paranoia and suspicion?  We often hire people because of their willingness to help others, their good communication skills, their ability to be responsive, etc. which means we are hiring “vulnerable” people who conscientiously use their “vulnerabilities” for good.  

Do you think it’s any coincidence that so many information security people have difficult UI’s?  I don’t – part of a security mind set means questioning the status quo and being willing to confront others.

As we work through securing our humans, we need to strike a balance – trust but verify, assist but not unquestioningly, etc.  I’d love to hear from others about their play books for securing humans, especially any techniques to help balance helpfulness with suspicion.

After all, we don’t want just anyone with a clipboard to gain access to our infrastructure.

Cross-posted from Tripwire's State of Security

Possibly Related Articles:
Information Security
Enterprise Security Insider Threats Social Engineering Security Awareness Exploits Information Security Human Factor
Post Rating I Like this!
Danielle Russo Good Article,
I think we need to change peoples behavior by rewarding them to challenge the status Que, while still giving great customer service. Lets try the Carrot instead of the stick when dealing with your "Users".

One other point, I also read Kevin's new book. While there was some good content, I could not get over that this guys has the biggest most unattractive ego I have ever seen or read. Everything from his was "I did this, I bet you couldn't do it" and me me me me, challenging the reader that nobody could do what he has done. Like we are less then him.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.