To say it in the words of the security guru, Mr. Schneier,“Amateurs hack systems, professionals hack people.”
Don’t believe that the typical hacker is the socially awkward 20-something-year-old young man who cannot make eye contact with someone at Starbucks — like Elliot from Mr. Robot. The most successful hackers are truly gifted grifters who can “talk their way out of almost anything” — or better said, “talk their way into anything.”
Kevin Mitnick is probably the most notorious hacker of recent years, who has mastered the art of exploiting human vulnerabilities to get into computer systems, including those of American government agencies and technology companies. Testifying before a Senate panel on government computer security in 2000, after spending nearly five years in jail, Mr. Mitnick explained that:
When I would try to get into these systems, the first line of attack would be what I call a social engineering attack, which really means trying to manipulate somebody over the phone through deception. I was so successful in that line of attack that I rarely had to go towards a technical attack. The human side of computer security is easily exploited and constantly overlooked. Companies spend millions of dollars on firewalls, encryption and secure access devices, and its money wasted, because none of these measures address the weakest link in the security chain.
So that got me curious and I started to look around on the internet… and here are some statistics that I dug up that, if we were to take at face value for a moment, draw a frightening picture:
- In one survey, carried out by PentaSafe Security, two-thirds of commuters at London’s Victoria Station were happy to reveal their computer password in return for a ballpoint pen.
- Per social engineering.cog, 14% reply to phishing text, 60% click on links and 26% will return a call.
- Per the Verizon Data Breach Report, the combination of miscellaneous errors, insider or privilege misuse and physical theft and loss accounted for almost 50% of all breaches. The common denominator however is the human being.
- According to Meta Group, the most common way for intruders to gain access to company systems simply finding out the full name and username of an employee (easily deduced from an e-mail message), calling the help desk posing as that employee and pretending to have forgotten the password.
- The 25 most common passwords consist of passwords such as: 123456, password, 1234567, qwerty, 12345 and so on, with what you can tell by now, is not even hard to guess for a seven-year-old who wants to play some more Angry Birds on her dad’s phone.
And there are other common mistakes that are made, such as not changing the default passwords on infrastructure devices, not locking your PC as you walk away for lunch, writing down passwords on sticky notes attached to your screen or leaving your system susceptible to theft in your car or in a public place.
Simple measures, such as encouraging employees to log out during lunch hours and to choose sensible passwords, can dramatically enhance security at very little cost. Passwords should be ideally eight characters long, and contain a mixture of numbers, letters and special characters. Educating employees not to use their dog’s name + their birthdate that is posted all over Facebook as a password makes them harder to guess. And to add insult to injury buying a lot of shiny firewall, DLP, DPI, VPN, Proxy and who knows what other networking protection systems are out there, doesn’t solve the problem. Once I am in your network as someone that these previously listed systems think is a legitimate user, I can do whatever I want and rob you blind.
So how do you protect yourself from the weakest link in the chain: the human? How do you protect all these DPI, DPL, FW, VPN systems? Users should have a different password on each system, and they should have access to easy to use self-service tools so they never must reveal their passwords to anyone, including systems administrators. Users need to be given a tool that allows them to access everything, like their daily applications, devices and resources from common interface and gives them an easy to use one time password utility. One time passwords cannot be stolen, tricked out of from users and written down (well, they can be written down, but they have a short shelf life). Companies need to give users something that is easy to use, works on all their accounts, systems and resources, protects privilege escalation requests and allows IT to protect especially sensitive systems with additional workflow policies to control the access.
The combination of Centrify Identity, Privilege Service and Server Suite accomplishes exactly that.