Monday, June 19, 2006

Candy Man

From Dark Reading comes an account of treachery, deceit, low-down dirty deeds and usb thumb-drives. What they did to test a company's awareness of social engineering was brilliantly devious. For a brief time one morning, it rained thumb-drives:

You’ve probably seen the experiments where users can be conned into giving up their passwords for a chocolate bar or a $1 bill. But this little giveaway took those a step further, working off humans' innate curiosity. Emailed virus writers exploit this same vulnerability, as do phishers and their clever faux Websites. Our credit union client wasn’t unique or special. All the technology and filtering and scanning in the world won’t address human nature. But it remains the single biggest open door to any company’s secrets.

Disagree? Sprinkle your receptionist's candy dish with USB drives and see for yourself how long it takes for human nature to manifest itself.

As always, your most vulnerable area is employee training, morale and supervision. Let's face it, users suck. But if you can just get them on your side a little, they will suck less.

No comments: