|(This article was originally published on the Findings From the Field blog.)|
Miles McQueen of the University of Idaho & Idaho National Laboratories had an interesting presentation in the Security track at the last ARC World Forum in Orlando some time ago. He talked about work INL had done with their own people to increase awareness of social engineering attacks. He cited pan-cultural research results about people lying as background. The research showed how many people across many cultures believed that the following traits indicated someone was lying:
In the INL experiments in 2008, 40% of employees provided their passwords to a fake employee over the telephone. Many reported the phone-phishing, but the first such report came fully 45 minutes after the experiment started and a number of passwords had already been harvested. 20% inserted thumb drives found in the parking lot into their computers, and 10% opened an attachment on an official-looking email.
Other phishing experiments showed between 45% and 80% success in getting people to open attachments and provide user name / password credentials when the phishing email was tailored to each individual target recipient, with information about the recipient and information about the target’s context (school, work, military academy) in the phishing email.
The implications for industrial security are alarming – all the firewalls and VPNs in the world won’t help you if your people are giving out their passwords to strangers, or plugging "found" USB sticks into their workstations. To deal with the threat, you need measures like:
That’s all for now. I’m off to scatter USB keys in the parking lot at head office...
|Security Basics: Social Engineering|
Posted by Andrew Ginter at 10:53