How to Secure Data by Addressing the Human Element
Your sensitive data is only as secure as the weakest link in your organization, and in many cases the weak link is your employees. A properly established security awareness and training program can pay huge dividends.
Wed, August 15, 2012
CIO — Regardless of the security expertise and resources you apply to securing your assets, you are unlikely to achieve much unless you focus on the most vulnerable element of your organization: your employees.
"Computers have become much more secure over the past 15 years, but humans have not," says Lance Spitzner, training director for the Securing the Human program at SANS Institute, a cooperative research and education organization focused on security certification. "The human really has become the weakest link."
When It Comes to Security, Humans Are Low-Hanging Fruit
Because the technology itself is no longer necessarily the low-hanging fruit, malicious hackers are finding easier ways to penetrate organizations, like social engineering or preying upon employees with poor password discipline. Employees commonly simply don't know how to write strong passwords, how to comply with data protection policies or share data securely, Spitzner says.
"We define social engineering as understanding what makes a person think, tick, and react and then using those emotional responses to manipulate a person into taking an action that you want them to take," says Chris Hadnagy, a co-founder of security education organization Social-Engineer.org and operations manager at security training and tools firm Offensive Security. Hadnagy is also the author of the book, Social Engineering: The Art of Human Hacking.
At the DEF CON 18 Hacking Conference in 2010, Social-Engineer.org organized its first social engineering capture the flag contest to showcase how social engineers penetrate companies' defenses.
Two weeks prior to the conference, the contestants, amateur social engineers all with little or no experience, were each given the name of a real company. They were allowed to spend the two weeks prior to the contest using "noninvasive" techniques (like Google searches) to compile a dossier on the company to which they had been assigned. They were not allowed to e-mail, telephone or contact the companies, but anything freely available on the Web was fair game. The dossiers were used to create a profile of the company and plan an "attack vector," a strategy for getting employees of the target company to reveal "flags," or bits of information.
Social-Engineer.org compiled the flags-things like who handles the firm's tape backups, what browser and version the employee used, the PDF client the employee used or whether the company had a cafeteria and who operated it. The FBI vetted the list of flags and the contest rules specifically prohibited contestants from trying to gain passwords, IP addresses or other sensitive data.