Humans are the weak link in any corporation’s carefully crafted security perimeter. That’s the prevailing theme of Kevin Mitnick’s new book, The Art of Deception: Controlling the Human Element of Security (Wiley, October 2002), in which he shares stories of “social-engineering” hacks that involve everything from fake phone calls to dumpster-diving to illustrate how a dedicated and wiley hacker can use human fragility and carelessness to crack a network.
Although CIOs may quickly tire of tales highlighting the boundless bravado of hackers, the book does offer some good advice on hardening your employees against such exploits. Mitnick recommends that companies encourage employees to adhere to the following security guidelines.
Do not give out any personal or internal company information to anyone, unless their voice is unquestionably recognized and he or she has a need to know. Never disclose your password or any information about your password.
Do not download, open or respond to e-mails and files from any unknown source. When in doubt (whether verifying a request for information or opening a file), ask for guidance from the security group.
Do not judge a book by its cover. Just because a caller knows the corporate structure and lingo, sounds authoritative or looks the part, doesn’t mean she is for real. It’s acceptable and expected to challenge authority when there’s a security risk at stake.
Do not transfer files to people you don’t know, even if the destination appears to be within company boundaries.