Are the social engineers or the people who do such attacks
becoming more criminal, like computer hackers are becoming more
criminal?
You can have a teenage kid who is using social engineering to
get into his friend's AOL screen name or you can have a military spy
using it to try to break in somewhere and everyone else in between.
Social engineering is simply a tool used to gain access.
Do you see a difference between social engineers today and when you were doing it?
When
I got started, when I learned about social engineering, it was during
the phone phreaking era, the predecessor to the hacking era. That was
more about calling different departments at phone companies to gain an
understanding of their processes and procedures and then being able to
pretend to be somebody at the phone company and having somebody do
something for you.
Social engineering happens quite frequently now. It happened with Network Solutions, it happened with Paris Hilton. These are the attacks you hear about. There are many social engineering attacks you never hear about because they are not detected or because the person who was attacked doesn't want to admit it.
It is growing because security technologies are getting more resilient. There are better technologies to protect information assets and the attacker is going to go after the weaker link in the security chain. Social engineering is always going to be here. The more difficult it is to exploit the technology, the easier it becomes to go after people.
If you look at the folk who attack vulnerabilities in technology
today and compare that to when you were first starting out, what trends
do you see?
Back then, a lot of the holes in technology were not readily
available and published like they are today on the Internet. Nowadays
anybody with a browser could pretty much purchase commercial hacking
tools like Canvas or go to a Web site where a lot of exploits are
readily available. Ten years ago, if you were hacking you had to
develop your own scripts. Today is like a point-and-click hacking
world. You don't have to know how the engine is working, you just know
to get in the car and drive. It is easier.
What would you say is the single biggest threat out there?
It is pretty much a blended threat. I think social engineering is
really significant because there is no technology to prevent it.
Companies normally don't raise awareness about this issue to each and
every employee. It is at the end of the priority list in the security
budget.
There will continue to be software vulnerabilities. In a lot of companies that I tested, if you are able to breach a perimeter machine, like...
For more, click here...
