In the last Security Notes, we covered the first of the "3 P's," of information security: perimeter. This month we will introduce the second "P" - people.
One of our most frequently requested services is a penetration test. While this term has come to mean many things, the intent of the requester is usually this - "show me how an attacker could gain illegitimate access to my company's information." Some companies are overly confident and request a penetration test as a type of challenge. Their company has just finished installing the new Total Information Security Now 3000 appliance and they are convinced they are totally secure and only legitimate users can get onto their networks. For the more cynical or budget-constrained requesters, the question becomes more like, "What WON'T an attacker be able to get?"
More often than not, the state of any given organization's information security program is somewhere between these two implied extremes. And, while an exhaustive security assessment would identify various strengths and weaknesses under each of the 3 P's, perimeter, people, and policies, a penetration test is more targeted. All an attacker needs is one weak link or - in popular security lingo - one piece of low hanging fruit. Sadly enough, it's likely that one of the more easily picked fruits is sitting in the cubicle next to you.
People are often the weakest link in any security system. Attackers utilize social engineering attacks to gain access to your organization's valuable information by preying upon the trust, curiosity, and lack of discernment in the typical employee. The most direct means of shoring up this weakness is through regular training and awareness for everyone in your organization. To be effective, this training must be supported by comprehensive security policies, but we will save that topic for next month.
How confident are you that your employees or co-workers know how to respond to social engineering? If you are interested in learning more about how to train your employees so they are not the weak link in your security program, give us a call and allow us to provide the assurance you're seeking.