Network Security Policy – Physical and Social Engineering Attacks
What is your network security policy? Let’s imagine you’re employed in a corporate environment in which you’re, at the very least partially, accountable for network security. You have carried out a firewall, virus and spyware and adware protection, plus your pcs are all updated with patches and security fixes. You sit there and take into consideration the stunning job you’ve done to make sure that you will not be hacked.
You’ve done, what a lot of people believe, are the major actions towards creating a secure network. This is only partially accurate. What about the other aspects of your network security policy?
Social Engineering Attacks?
Have you thought about a social engineering attack? What about the people who make use of your network daily? Are you prepared in managing attacks by these people?
Consider it or not, the weakest link in your security plan often is the folks who use your network. For the most part, users are untrained to the strategies to spot and defuse a social engineering attack. What’s likely to prevent a user from discovering a compact disk or DVD within the lunch room and taking it to their workstation and opening the files? This CD may possibly hold a table or word processor file that includes a malicious macro embedded inside it. The next thing you know, your system is compromised by network security threats.
This predicament exists predominantly in an atmosphere where a help desk staff resets passwords over the telephone. There is certainly nothing to prevent anyone intent on breaking into your system from calling the help desk, pretending to be an employee, and requesting to get a password reset. Nearly all organizations use a system to come up with usernames, thus it is not exceptionally complicated to figure them out.
Are Your Network Security Policies Strict Enough?
Your company must have strict policies constantly in place to validate the uniqueness of the user prior to a password reset may be made. One uncomplicated thing to complete is to get an individual to visit the help desk in the flesh. The other method, that works well in case your offices are geographically far away, should be to designate an individual contact in the workplace who can phone to get a password reset. This way every person who works on the help desk can be on familiar terms with the tone of voice of this individual and realize that the individual is who they assert they are.
Why would an aggressor go to your office or place a phone call to the help desk? Easy, it is often the path of least resistance. There isn’t a necessity to spend time attempting to break into an digital system when the physical system is less complicated to exploit. The next occasion you see someone move through the entry after you, and you do not recognize them, stop and inquire who they are and what they really are there for. If you ever do this, but it transpires that they are someone who is just not supposed to be there, more often than not he’ll get away as prompt as possible. If whomever is supposed to be there then he’ll most likely have the ability to supply the name of whomever he’s there to see.
So What Does This All Mean?
I do know some of you may think that I am crazy, right? Well consider Kevin Mitnick. He’s one of the most decorated hackers in history. The United States government thought he could whistle tones into a phone and launch a nuclear assault. Nearly all of his hacking was done through social engineering. Whether he did it through physical visits to workplaces or by making a phone call, he executed several of the best hacks to date. If you need to understand more about him search his name on the web or read the two publications he has written.
It’s beyond me why people try to dismiss these kind of approaches. I guess some network engineers are simply too proud of their set-up to declare that they could be breached so easily. Or is it the fact that people don’t feel they should be critical to educating their personnel? Another reason is that most organizations don’t offer their IT departments the control in promoting physical security as part of their network security policy. This is generally a problem for the building administrator or services administration. None the less, if you can actually educate the employees the slightest bit; you may be able to avoid a network breach from a physical or social engineering attack.