Académique Documents
Professionnel Documents
Culture Documents
MSc. Computing
A REFLECTIVE ESSAY
ON
Onwuegbuzie Innocent U.
Organizations has a lot to merry and smile about when they are making success and
declaring excess bonus at its Annual General Meeting (AGM) all seems to be going on fine, they
attribute their success to the strong security back bone they have with regards to the latest
security hardware’s and software’s watching their backs. It is unfortunate to realize that even as
they rejoice upon their success, an antagonist referred to in this essay as Social Engineer is right
their plotting and strategizing on how to wipe the smile out of their faces. He fervently closes up
on them to find the “Slightest Loop-Hole” and lunches his attack at the exact time he feels
convenient. Guess what this Security Loop-Hole is? The humans, manning this so-called
sophisticated, latest hardware and software security infrastructures.
While I was growing up as an aspiring and ready to break grounds young man, never did
I thought that there was any serious need to secure a company’s information, be it confidential,
private or public information. I felt that the success of most successful companies lies on how
much money they pumped into the business to keep it up and running and how much of
dedication and diligence the workers or staff of an organization put to ensure that the aim and
goals of the company is achieved.
Having heard and read about how some companies winded up and fell out of business, I
most at times attribute it to staff embezzlement, bankruptcy, lack of focus and selfishness on the
part of whosoever aided the collapse. Even when I made personal researches to what might have
lead to the collapse of some of these companies, I only came up with accusing fingers pointed to
the incompetent management staff, and perhaps gathered little or no information concerning the
company’s Vital Information which I will refer to here as; “The Company’s Source Code”, which
entails the secrets of the ways and how the company runs their business and keeping their heads
high above the tides, which might have fallen into the wrong hands.
In the course of my research I sometimes might come up with lack of maintenance of
operational facilities as a major cause of companies collapse, and the management never cares
about it. In as much as the money keeps rolling in, it seems to them that they were doing just
fine.
Right from my early days, most especially when I came to the realization of what a
computer was and what one can achieve with it, I immediately fell in love with its discipline
although I did not study it as a first degree course, I knew from that first day of my encounter
with a computer that this was exactly what I had wanted to study, and as time goes by, I began to
build myself in this direction, my interest never left the computing world as I was constantly
keeping in touch with its growth, developments and implementations.
My very first encounter with computer networks and security issues was way back in my
third year in the university, where I was fortunate to do my Industrial Training Programme in an
Internet Service Provider (ISP) Company. There was this particular incidence that took place that
the companys’ network was half-way shut down by virus attack. My Boss and the CEO/owner of
the company who was a High-Level IT officer working at Shell Petroleum Development
Company (SPDC) in my country Nigeria acted swiftly as soon as he was notified of this security
2
compromise. He isolated the segment of the network that was badly hit by the virus, and then
moved the clients that was on that affected channels to another back-up channel were they could
keep up with the service of the company without interruption.
This was my first experience of network security compromise; it was such an eye opening event
for me, this was when I knew about the functionalities of network security devices such as
Firewall, Intrusion Detection systems, Routers, Anti-virus programs etc.
As I grew in this field I came to realize that for your network to be secured, you need the
most sophisticated network security devices and a broader knowledge of how they work and
being configured. For me at this point, it sounded that with all these things in place, then “Your
network is the most secured network in the world”. Little did I know that even at this level, one
is still very vulnerable to network break down and attacks.
The study of my Masters of Science Computing gave me the privilege of reading the
book titled: The Art of Deception: Controlling the Human Element of Security by Kelvin D,
Mitnick and William L, Simon.
My eyes were open to the fact that you might have all the sophisticated network security
hardware’s and software’s, with up to date operating System Patches and Anti-Virus Updates, but
still remain very vulnerable to security compromise to what Kelvin D. Mitnick called Social
Engineers.
The book; Art of Deception: Controlling the Human Element of Security, has truly given
me a new dimension of viewing security. An organization might have in place all advanced and
sophisticated hardware and software facilities, as well as having very competent hands to operate
these facilities but still remain very unsecure to Social Engineers. The question now arises, what
is Social Engineering and who is a Social Engineer?
As defined by Wikipedia (2009) Social Engineering is the act of manipulating people into
performing actions or divulging confidential information. While similar to a confidence trick or
simple fraud the term typically applies to trickery or deception for the purpose of information
gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face
with the victim.
A Social Engineer is a person that uses the above defined techniques to achieve his aim or
goals. An organization might not really appreciate the gravity of the attack of a Social Engineer
until the bomb he has planted explodes. This could lead to winding up of an organization or
perhaps threatens the standard of such organization in the global market.
Social engineering attacks are increasing in frequency and can be technical or non-technical;
both manipulate staff to gain unauthorized information which can then be used to damage the
organization or for criminal purposes. Social engineering concentrates on exploiting the
weaknesses of people, rather than IT systems or the computer security process. Staff targeted
tends to be those who work in customer facing roles, especially IT, help desks, receptionists,
security guards, cleaning and catering.
To this end it is seen that Social Engineers has so many ways in which they can lunch
their attacks, it is obvious that security firewalls, Intrusion Detection Systems, and other security
devices are no match to them because one of their most powerful tool is human manipulation.
Social Engineers manipulates the personnel’s manning these security devices to gain access into
the corporate organization, hence at this juncture it is very pertinent for security experts to
broaden their security perspective towards considering the human weakness and devising
appropriate measures to checkmate this vulnerable loop hole.
No doubt I now see things in a different way and a broader spectrum when it comes to
network and organizational security. It is not enough for an organization to have all the
sophisticated and latest hardware and say it has it all. Network and organizational security goes
beyond just hardware’s alone but well and carefully planned Network and Management Security
Policies that caters for the human weakness in security issues.
Kelvin D, M, and William L, S, (2002, p.7) in his book said “There is a popular saying
that a secured system is the one that is turned off. It sounds clever but false: The Pretexter simply
talks someone into going into the office and turning that computer on”, once the system is on a
Social Engineer uses his Hacking knowledge to gain access into that computer from a distance.
Am now of the opinion that for an organization to fully boast of tight and secured system
then it has to invest in training its employees against the attack of Social Engineers. This can
done by delegating this responsibility to experts on Anti-Social Engineering or perhaps contract
it to an Anti-Social Engineering Consulting firm.
The entire staff of the organization should be trained, regardless of position and status, as
Social Engineers can use any employee as a victim. To this end I will recommend the following:
• Train employees/help desk to never give out passwords or other confidential info by
phone
• Don’t type in passwords with anyone else present (or if you must, do it quickly!)
• Keep phone closets, server rooms, etc. locked at all times and keep updated inventory on
equipment
• Keep all trash in secured, monitored areas, shred important data, erase magnetic media
• Keep employees on their toes through continued awareness and training programs
CONCLUSIONS
5
REFERENCES
• Kelvin D, M, and William L, S, 2002, Art of Deception (Controlling the Human Element
of Security), 1st edn, Wiley Publishing Inc, Indianapolis, Indiana, USA.
• Wikipedia 2009, Social Engineering, Wikipedia: The Free Online Encyclopedia. Viewed
April 16, 2009 from; http://en.wikipedia.org/wiki/IPsec.
• Security Focus 2009, Common intrusion tactics and strategies for prevention, viewed
April 16, 2009 from; http://www.securityfocus.com/infocus/1533.