Tuesday, September 4, 2012

It Takes More Than Firewalls and Encryption To Protect Data

These days a lot of (you could probably say most) information is kept in a digital format. And with the stockpiling of digital data it is obvious that thieves would turn to the digital world in kind. The data must be protected.

In come the firewalls, encryption methods, and other security measures to ensure that no thief can break in and gain access to financial, medical, personal, or otherwise vital information. But is that enough? It would seem not.

A few weeks ago at DefCon (a major hacker convention) there was a contest in which the objective was to obtain certain pieces of information from a company...in front of a crowd of dozens. But the feat here isn't that "Gary Darnell" was able to get information that is not normally available (don't worry it was nothing truly vital like passwords or customer information). No the feat is how he did it.

"Gary" didn't just use the latest software to force his way into the network of the company he went after. No instead he used the telephone.

Over the course of about 20 minutes Gary obtained the information by simply talking an employ out of it. Posing as a government employee offering a multi-million dollar he was able to gain the trust of the person he spoke to. In no time he learned what is served in the cafeteria areas, the pay cycles of employees, and their janitorial services. With the relationship built up the employee gave "Gary" other details such as the make/model of his computer, what operating system it's running, and even what antiviral software it was running.

And then Gary really struck.

Having learned other details about the company and specifics about the computer the person he was talking to was using he offered him an external website (as in not in the company's network) to fill out a survey to prepare for an upcoming visit. Thankfully the site was blocked by the network's security but he didn't have any problems as "Gary" told him that he would his IT department look into it. After promising to call the next day to follow up on things our "hacker" ended the call.

As I said above it's not the what but the how that is important here.

The person that "Gary" spoke to didn't notice anything odd about someone asking such deep details about his company. Not only was he giving up information but he was also willing to go to an unknown site with no second thought. "Gary" was able to pull this off because while the electronic defenses seemed to be up to snuff the people themselves were lacking.

The best digital security in the world is useless if the people on the inside are helping the outsiders get in.