Social engineering attacks: blame process, not employees, says security expert


Social engineering attacks: blame process, not employees, says security expert

Warwick Ashford

Businesses that lose data in attacks using social engineering typically blame employees, but that is often extremely unfair, says US-based internet security expert Ira Winkler.

"The real problem is weak security procedures, but individuals tend to get blamed because it makes executives look better," he told attendees of RSA Conference 2010 in San Francisco.

Winkler, who is president of the Internet Security Advisors Group (ISAG), cited an example of how he was able to gain access to a corporate server room.

He simply called the company's reception desk and ordered an access card to be issued by posing as a company executive and then later claimed the access card.

"The company wanted to blame the staff involved, but the problem was that the process for issuing access cards did not require authentication of people requesting and receiving the cards," he said.

After the weakness was exposed, the company demanded to know who had been responsible for issuing the cards, proving there were no tracking processes in place, said Winkler.

Employees manipulated in this way are not to blame, he said, but by shifting the blame, executives hide the fact that they have failed to implement robust security procedures.

"The problem is that when individuals are blamed, the processes often remain unchanged and the vulnerability remains," said Winkler.

Many so-called social engineering attacks could be prevented simply by ensuring that processes are robust and include proper authentication and tracking mechanisms, he said.

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy