I recently read two different stories that I probably never would have connected, had I not read them within 24 hours of one another. It struck a chord with me because it made me think about a particular pet peeve of mine in a slightly new way. But more about that later.
The first article was entitled “Social Engineering 101: Mitnick and other hackers show how it’s done.” Kevin Mitnick was the computer hacker who allegedly used the telephone system to hack into NORAD and was the inspiration for the movie Wargames. This article contains several YouTube videos in which Mitnick and other hackers describe social engineering tricks they’ve used to successfully trick employees into releasing sensitive information. The examples are at once hilarious and horrifying.
The second article was a blog entry entitled “The Magic of Marketing” on Guy Kawasaki’s “How to Change the World” blog. In it, he talks about research conducted on the relationship between misdirection and social queues. In a nutshell, one experiment found that the way a magician used his eyes influenced the audience and helped to induce the misdirection required for the illusion. Kawasaki, who’s marketing gears are moving full speed 24/7, made the keen observation that similar social queues can influence marketing.
I’m sure by now you’ve made the same connection; Mitnick and other social engineers use common social queues to their advantage in order to create misdirection that allows them to create whatever illusion they wish. Now I can bring this home to my pet peeve regarding IT security – reliance on technology while ignoring the weakest link… people.
I am a firm believer that an ounce of prevention is worth a pound of cure, and it applies to security as well. Basic employee education and standard computer and internet use policies are a major step in the right direction toward closing some of those holes. But during my travels as a technology consultant, I am disappointed by the number of organizations that don’t seem “get it.” Too many of them exist in a the sense of security (pun intended) that their firewalls, IPS’s, and security agents will keep them safe.
One, two! One, two! And through and through
The vorpal blade went snicker-snack!
He left it dead, and with its head
He went galumphing back.