News

Social engineering attacks: blame process, not employees, says security expert

Businesses that lose data in attacks using social engineering typically blame employees, but that is often extremely unfair, says US-based internet security expert Ira Winkler.

"The real problem is weak security procedures, but individuals tend to get blamed because it makes executives look better," he told attendees of RSA Conference 2010 in San Francisco.

Winkler, who is president of the Internet Security Advisors Group (ISAG), cited an example of how he was able to gain access to a corporate server room.

He simply called the company's reception desk and ordered an access card to be issued by posing as a company executive and then later claimed the access card.

"The company wanted to blame the staff involved, but the problem was that the process for issuing access cards did not require authentication of people requesting and receiving the cards," he said.

After the weakness was exposed, the company demanded to know who had been responsible for issuing the cards, proving there were no tracking processes in place, said Winkler.

Employees manipulated in this way are not to blame, he said, but by shifting the blame, executives hide the fact that they have failed to implement robust security procedures.

"The problem is that when individuals are blamed, the processes often remain unchanged and the vulnerability remains," said Winkler.

Many so-called social engineering attacks could be prevented simply by ensuring that processes are robust and include proper authentication and tracking mechanisms, he said.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy