Exploiting everyday end-user behavior

So what keeps IT pros awake at night? Typical IT administrators have no shortage of worrisome situations to ponder during those long, sleepless hours.

Surprisingly, though, the culprit isn't necessarily faulty software or hardware. It's often well-intentioned users, who may do something foolish like set up an unauthorized Wi-Fi device at work or take a laptop home.

Those activities can compromise the entire network, especially if the user falls victim to "social engineering" -- the art of manipulating people to get them to do what you want. In the case of computer security, that involves getting unwitting employees to divulge confidential information, leaving networks wide open to attack.

The problem is more common than most IT pros realize. "If I were a white-collar criminal, I wouldn't hack in over the network," says Steve Stasiukonis of Secure Network Technologies. "I'd use social engineering to get the password I needed and get inside the firewall."

Stasiukonis isn't a criminal, of course; he's the founder of a company that performs security assessments. As part of a security audit for a credit union, one member of Stasiukonis' team wrote a Trojan that would collect passwords and other data and e-mail them back to SNT. The team installed the Trojan on 20 USB thumb drives and scattered them around the credit union parking lot early one morning. Soon enough, people picked them up, plugged them in, and the passwords came rolling in. It was a trivial matter to trawl the client's network and get other confidential data.

So much for a good night's sleep.

Join the newsletter!

Or
Error: Please check your email address.
Show Comments