Hi everyone,
Just thought we would let you know there is much more information available on this site simply by clicking on the link menu above. There is a ton of information, examples and even videos that you can look at.
Thank you,
The Wetware Group
Hacking Wetware
Topics of Interest
Thursday, March 22, 2012
Wednesday, March 21, 2012
What is Wetware?
Wetware refers to the human brain and the decisions that humans make when they are using the computer. From the point of view of security, it is the "wetware" of the users that is the most important factor. It doesn't matter how many firewalls, honeypots, ID cards, RSA devices you have or how good your "least-privileged" access is set up, if trusted users simply hand over the keys to the system to others.
As Bruce Schneier writes, "Security is a process, not a product." Real security is hard, since it's not just about plugging in a security widget that will make all your problems go away. It's about processes and training your people to do the correct thing, all the time, no matter what.
What is Social Engineering
The risks of Social Engineering are quite small compared to more technical hacks, and they can also enter systems much more quickly and easily. Social Engineers who ALSO know the technical hacking side (like Kevin Mitnick and Frank Abagnale) are especially dangerous.
And yes, Social Engineering can be that easy...
What is a Penetration Test?
A penetration test or "pen test" is a method used to test the security procedures, protocols, and response to an attack on the computer network. In a pen-test a security contractor attempts to break into a network using the same techniques that real attackers may use. This may involve checking for unpatched vulnerabilities, absence of anti-virus software, or even the actions of the employees themselves. It is the response of the employees to the Social Engineering based attacks that we are exploring in depth for this project.
When conducting such tests, it is critical that the organization and their security consultant be careful to cover themselves from legal action. As this white paper points out, the actions taken by the security company would otherwise be illegal in any other situation. Proper legal preparation is critical and should include worst-case scenarios (for example, a suspicious employee calls the police) and when on-site, the security company employees/contractors should have a method to have the upper management "rescue" them if something goes wrong.
The job status of any employee who "messes up" during such a test should be clearly laid out - in fact a company should be encouraged to treat employee failures as a positive sign - those are what helps improve the long term response to a real attack. Firing or otherwise punishing these employees would be a poor decision. In a real attack, the same employees who learned from their mistakes will be the first ones to recognize and respond appropriately to the real intruders. They become much more valuable to the organization.
When conducting such tests, it is critical that the organization and their security consultant be careful to cover themselves from legal action. As this white paper points out, the actions taken by the security company would otherwise be illegal in any other situation. Proper legal preparation is critical and should include worst-case scenarios (for example, a suspicious employee calls the police) and when on-site, the security company employees/contractors should have a method to have the upper management "rescue" them if something goes wrong.
The job status of any employee who "messes up" during such a test should be clearly laid out - in fact a company should be encouraged to treat employee failures as a positive sign - those are what helps improve the long term response to a real attack. Firing or otherwise punishing these employees would be a poor decision. In a real attack, the same employees who learned from their mistakes will be the first ones to recognize and respond appropriately to the real intruders. They become much more valuable to the organization.
Subscribe to:
Posts (Atom)