After my last post about passwords, I thought I should address another common problem in security - social engineering. As a customer support computer professional, I work with users regularly that offer me their passwords so I can fix their computers. I always try to impress on them that anyone who is authorized to fix their computer will have the credentials (authorized access) to do so. Maybe I need to take a different approach - fear.
I commonly hear users tell me that their access is so low that no one could possibly use their password to access anything important. That attitude is the problem. If what they can access isn't important, why do is it protected with passwords at all? Everyone needs to learn to think defensively about security.
In addition to all the hardware and software protections we put in place, we need to train our users to be suspicious and skeptical. Patrick Lambert says we need to "drill into our users that they should regard all links and attachments with a high degree of skepticism" to reduce phishing. We should also stress to them that there should be few if any reasons to share their login credentials. Educating them on the usefulness of even small amounts of data should be reinforced at every opportunity. Any time you can make them stop and think is a good thing.
Social Engineering is still the easiest way for bad people to gain access to a network. We need to implement controls to protect our networks from our own innocent friendliness, but teaching suspicion will go a long way to help, since controls can't protect against authorized access if it's given away.
Lambert, P. (2014, September 26). Social engineering red flags and tips for training users [Web log post]. Retrieved from TechRepublic Blog website: http://www.techrepublic.com/blog/it-security/social-engineering-red-flags-and-tips-for-training-users/
No comments:
Post a Comment