Security is About Psychology and Technology

Security is About Psychology and Technology

Google announced that it found a China-based hacking campaign to get into the email accounts of hundreds of users, including “senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists.”

This wasn’t the first time Google saw email attacks launched from China. In January 2010, the company disclosed a technically sophisticated attack that sought access to the email accounts of Chinese human rights activists. Where the newest example differed was in method. The perpetrators used phishing exploits, tricking users into giving away their passwords.

Although someone with an information systems degree will look to technology as the source and solution of security problems, it’s just as important to understand the place of psychology and social engineering. Attackers often are far more successful though manipulating employees than in using complex software and technical tricks.

One reason social engineering works is that we all have used it and been manipulated by it from a young age. Children talk their parents into letting them stay up later than usual and working adults might look for time off or a raise.

When applied to corporations, attackers try to leverage human trust and habit to trick people into doing what the attackers want. The methods are generally quicker and more successful than technically hacking a network or server.

Although defending against any and all attempts to manipulate people in a company might be close to impossible, a little common sense in addition to awareness of automated solutions you get from an information technology program can go a long way:

  • Train people to be wary. It doesn’t mean employees become obstructive and angry. But when someone calls or shows up looking for confidential information, slow down and check. That could mean requesting a company name and calling back to be sure people are who they claim to be or asking a visitor who authorized an information release and check with that individual.
  • Use technology as an aid. Although employee awareness and attention to policies is best, you can mechanically reinforce behavior. For example, token authentication devices can cut the danger of someone surreptitiously obtaining a password, which will be useless without the proper device.
  • Test employees. Use social engineering penetration tests, having trusted people attempt to get something they shouldn’t have. Don’t make this an excuse to discipline employees. You want to teach them to be careful, not scare them into shutting down.
  • Encourage questioning. Employees who feel that they must do whatever they’re told and not question orders are perfect unwilling accomplices. Keep policies and procedures stable and explain why they are important. And any employee who refuses to let superiors skip security procedures should get positive recognition, not trouble.

Because social engineering is so flexible in practice, you can’t anticipate every situation. By concentrating on important principles, however, you can reduce the chance of successful attacks.