By Jacqui Henderson
If Australian comedians Hamish and Andy are able obtain enough sensitive information to potentially steal the London 2012 Olympic flame, then there’d better be big red lights flashing somewhere.
Having never been trained in social engineering, rather merely a comedian who is capable of putting on a disguise in attempt to get a laugh, Hamish with his bogus British accent, managed to get the “inside scoop” on security, from just one 5 minute phone call to the London 2012 help desk.
Through his impersonation of an elderly ex-Olympian concerned about his personal safety, Hamish was able to build rapport and trust with the lady on the end of the line. He used his charisma to informally feed her probing questions in regards to what security will be surrounding the Olympic flame and she proved eager to assist. Her willingness to answer all of Hamish’s questions, no matter how outrageous, left the duo with nearly enough information to ‘launch a strike’ and potentially steal the Olympic flame.
The overtly accommodating nature of this help desk staff reinforces the fact that no matter how good your online security is, your security process as a whole can still be completely exposed through one inexperienced, albeit friendly help desk staff.
Help desks have often been seen as an easy target for social engineers. Their desire to help and please the caller frequently precedes the security standards of the organization. Similarly, they often have a lot of critical information in their hands and in conjunction with their natural instinct to trust and assist the caller, this often makes them highly vulnerable to an attack.
As Kevin Mitnick explained through his book ‘The Art of Deception’;
“As developers invent continually better security technologies, making it increasingly difficult to exploit technical vulnerabilities, attackers will turn more and more to exploiting the human element. Cracking the human firewall is often easy, requires no investment beyond the cost of a telephone call, and involves minimal risk.”
Through this traditional manipulation of the friendly help desk staff, it is apparent that no matter how advanced the technology used to maintain your security, if the people and processes of your organization are not up to scratch, everything else can be in vain.
If it takes just one hole in your company’s security processes for an attacker to extract sensitive information, should we be now shifting our attention to companies further strengthening their “human firewall”?
With the human element currently being the biggest threat to security, additional training in security processes becomes paramount. Help desk staff need to learn to question and be more suspicious of the caller’s intentions, before willingly handing over information.
So when it comes down to receiving a slightly poorer customer service review or risking your entire company’s physical and financial security, I know which one I’d choose…
I welcome your comments.