Social engineering attacks: blame process, not employees, says security expert

Businesses that lose data in attacks using social engineering typically blame employees, but that is often extremely unfair, says US-based internet security expert Ira Winkler.

Businesses that lose data in attacks using social engineering typically blame employees, but that is often extremely unfair, says US-based internet security expert Ira Winkler.

"The real problem is weak security procedures, but individuals tend to get blamed because it makes executives look better," he told attendees of RSA Conference 2010 in San Francisco.

Winkler, who is president of the Internet Security Advisors Group (ISAG), cited an example of how he was able to gain access to a corporate server room.

He simply called the company's reception desk and ordered an access card to be issued by posing as a company executive and then later claimed the access card.

"The company wanted to blame the staff involved, but the problem was that the process for issuing access cards did not require authentication of people requesting and receiving the cards," he said.

After the weakness was exposed, the company demanded to know who had been responsible for issuing the cards, proving there were no tracking processes in place, said Winkler.

Employees manipulated in this way are not to blame, he said, but by shifting the blame, executives hide the fact that they have failed to implement robust security procedures.

"The problem is that when individuals are blamed, the processes often remain unchanged and the vulnerability remains," said Winkler.

Many so-called social engineering attacks could be prevented simply by ensuring that processes are robust and include proper authentication and tracking mechanisms, he said.

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on IT risk management

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCIO

SearchSecurity

  • Dissecting the Hack

    In this excerpt from chapter three of Dissecting the Hack: The V3RB0TEN Network, authors Jayson E. Street, Kristin Sims and Brian...

  • Digital Identity Management

    In this excerpt of Digital Identity Management, authors Maryline Laurent and Samia Bousefrane discuss principles of biometrics ...

  • Becoming a Global Chief Security Executive Officer

    In this excerpt of Becoming a Global Chief Security Executive Officer: A How to Guide for Next Generation Security Leaders, ...

SearchNetworking

SearchDataCenter

SearchDataManagement

Close