Network Security - The Real Vulnerabilities

View PDF | Print View
by: carolmartin11
Total views: 43
Word Count: 705
Date: Mon, 14 Mar 2011 Time: 2:37 PM
0 comments

Scenario: You're employed in a corporate environment in which you are, at least partially, responsible for network security. You have implemented a firewall, virus and spyware protection, and your computers are current with patches and security fixes. You wallow in it and think about the lovely job you have done to make certain that you will not be hacked.

You have carried out, what most people think, would be the major steps towards a secure network. This is partially correct. What about another factors?

Perhaps you have considered a social engineering attack? What about the users who use your network on a daily basis? Are you prepared in working with attacks by these folks?

Surprisingly, the weakest link in your security plan is the folks who use your network. For the most part, users are uneducated on the procedures to identify and neutralize a social engineering attack. What's going to stop an user from getting a CD or DVD in the lunch room and taking it to their workstation and opening the files? This disk could contain a spreadsheet or word processor document that has a malicious macro embedded in it. The next thing you know, your network is compromised.

This issue exists particularly in an environment the place where a help-desk staff reset passwords over the phone. There's nothing to prevent a person set on breaking into your network from calling the assistance desk, pretending to become an employee, and asking to have a password reset. Most organizations use a system to generate usernames, so it is not very hard to figure them out.

Your organization must have strict policies in position to make sure that the identity of the user before your password reset can be done. One easy move to make would be to have the user navigate to the help-desk personally. The other method, which is effective in case your offices are geographically far, would be to designate one contact in the office who can phone for a password reset. This way everyone who works about the help desk can recognize the voice of this person and know that they're who they say they are.

Why would an attacker go to your office or make a phone call towards the help desk? Simple, it is almost always the road of least resistance. There is no need to spend hours attempting to break into an electronic system once the physical product is easier to exploit. Next time you see someone walk-through the doorway behind you, and don't recognize them, stop and get who they are and what they are there for. If you do this, and it happens to be somebody that is not supposed to be there, most of the time he'll escape as fast as possible. When the person should really be there he then will in all probability have the ability to produce the name of the person he's there to see.

I understand you're saying that I am crazy, right? Well think about Kevin Mitnick. He's probably the most decorated hackers ever. The US government thought he could whistle tones into a telephone and launch a nuclear attack. The majority of his hacking ended through social engineering. Whether he made it happen through physical visits to offices or by looking into making a telephone call, he accomplished most of the hacks to date. If you want to learn more about him Google his name or read the two books he has written.

It's beyond me why people try and dismiss these kinds of attacks. I suppose some network engineers are simply too happy with their network to admit that they could be breached so easily. Or could it be the truth that people don't feel they must be responsible for educating their employees? Most organizations don't give their IT departments the jurisdiction to advertise physical security. Normally , this is an issue for that building manager or facilities management. None the less, if you're able to educate the employees the slightest bit; you may be in a position to prevent a network breach from a physical or social engineering attack.

About the Author

Franklin Publishing Group provides high quality articles for clientele around the globe. Our customer Atlanta PC Repair Nerds Next Door offers qualified PC Repairs in Atlanta
. For more information please call Nerds Next Door at 888-596-4321