The art of deception
An interesting article on the BBC website today which shows how critical a good security culture is to an organisation. An external consultant, through social engineering techniques and bags of confidence managed to gain unauthorised physical access to a company's premises and from there, very quickly, access to sensitive documents. He then repeated the feat at the BBC's request, and this time gained access to user accounts and passwords just by pretending to be an IT support engineer.
The episode is enlightening. Everyone assumes the Internet is full of bad people, and therefore they protect their networks accordingly. However, staff are usually the weakest link in a security chain. In his book 'The Art of Deception', Kevin Mitnick gives lots of examples of different methods he'd used to trick his way into company networks. In each case, he used various means of persuasion to get people to give up information he needed to get into the networks. People often assume that hackers are technically gifted recluses. This is a dangerous and unrealistic misconception. Unfortunately, they tend to plan their security defences around the misconception, giving the skilful attacker plenty of holes to exploit.
http://news.bbc.co.uk/1/hi/technology/7843206.stm