Social Engineering Remains a Major Corporate Security Vulnerability

Anonymous hackers recently disclosed social methods used to obtain email account information from Governor Sarah Palin. In other news, officials from Websense, Inc. announced new Web 2.0 security products, while a trio of German companies announced free beta software to prevent Trojans from hijacking passwords from PCs.

Focal Points:

• Various anonymous posts have come up in the last week talking about how Republican Vice Presidential candidate Sarah Palin's email account was successfully hacked. The main way to get into her account was through the use of social engineering. A hacker Googled various information about Mrs. Palin's personal background, so they were able to successfully reset the password on her account when asked some personal questions about her family background. While any given password may have been secure, the manner by which most public email accounts ask "secret" words about the person make for a very easy way to gain access to private information from these public services.
• Officials from Websense announced new Web and data security offerings, intended to improve the security of corporate data and email. Officials announced what they claim is the industry's first real-time Web 2.0 content classification and malware protection product. The product, Websense Web Security Gateway, Version 7, is designed to work in Web 2.0 environments. Company officials also announced the availability of Data Security Endpoint, which is designed to increase IT's ability to prevent data loss. Some of the channels that data leakage is prevented include applications, printers, USB devices, and other network resources.
• Three different German software firms claimed to have developed a system for passwords that can prevent Trojans and viruses from stealing passwords in Microsoft Corp. Windows-based machines. This virtual keyboard software was developed in conjunction with CyProtect AG, Global IP Telecommunications, and PMC Ciphers, Inc. A beta version of this software is available for download for free. Officials said this technology would make the input of PIN codes and online banking transaction numbers safe to do on PCs. The software puts a virtual keyboard on the video display, with flickering characters at high speed, with keys at random positions on the keyboard. When tested against simulated Trojans, the Trojan was not able to get the actual key characters making up the password. This is with a Trojan taking up to 15 percent of the CPU cycles, which is way over typical Trojan CPU allocations.

Experton Group believes social engineering will play as great a role in corporate security as technology. In fact, most successful acquisitions of corporate data are inside jobs, making it as important to educate all employees on proper security procedures, as well as augmenting automated auditing with environmental auditing for social security vulnerabilities. IT executives should document security policies, conduct ongoing security awareness training, and audit social channels as well as network channels for potential security vulnerabilities.