Friday, March 18, 2005

Wow. We Are The Weakest Link...

I've mentioned my profession here before, but I'll repeat it now: I'm a certified, bona-fide, don't-just-play-one-on-tv, professional network geek. It's my job to design, build, and maintain computer networks that are both robust and secure. It's a sad fact in my profession that no matter how good you make the network, it still has to interact with a component you can't really secure. The user. Take note:

::::::::WASHINGTON — More than one-third of Internal Revenue Service (search ) employees and managers who were contacted by Treasury Department inspectors posing as computer technicians provided their computer login and changed their password, a government report said Wednesday.
The auditors called 100 IRS employees and managers, portraying themselves as personnel from the information technology help desk trying to correct a network problem. They asked the employees to provide their network logon name and temporarily change their password to one they suggested.

"We were able to convince 35 managers and employees to provide us their username and change their password," the report said.

Based on nothing more that receiving a phone call - from someone they didn't know - and hearing a confidently told story, these folks coughed up access to their system in general, and in specific to whatever files and functions they use in the course of their day. The process is called social engineering. (Click the link for a fine article on the subject.) It relies on people not following procedure, if one exists at all.

As a professional, here's some advice for all of you that deal in information systems that you'd prefer not get compromised:

  1. Never give out your password, period. There's absolutely no reason anyone but you needs to know that. There's nothing your password will do for a member of your IT support staf that they can't do on their own, so they don't need yours.

  2. Don't change your password to something someone else tells you. Your password is your password and it identifies you to the computer. You make it and you make it what you want.

  3. If you even suspect that the person you're dealing with isn't a member of your IT support staff, get their number to call them back. If they're hacking, they'll likely hang right up at that point. Check the corporate directory. If they're not in there, feel free to call the IT group's help desk and ask them if they have someone working on an issue for you.

  4. Get familiar with your corporate IT security policy. If you don't have one, suggest to your IT management that they read the article I've linked and get one in place.