Social engineering never tasted so good
Social engineering never tasted so good
A recent survey of 172 office workers in London produced the alarming statistic that 71 percent of those polled were willing to divulge the password they used to log on at the office in return for a chocolate Easter egg. Just a case of the Brits being lackadaisical, or are we just as susceptible in the Antipodes to revealing all for a bit of afternoon tea? Stuart Finlayson finds out.
The term social engineering, when applied to IT security, is used to describe the method by which a person can be duped into revealing sensitive network security information, such as passwords by non-technical means. This is usually achieved by gaining the confidence of the person concerned, be it by appealing to their authority or vanity, or one of numerous other ways.
Now, while a person could be forgiven for falling for the spiel of such a confidence trickster, the same could not be said of the London office workers who foolishly gave up their passwords for a chocolate treat.
But before we start to feel superior and scoff at the stupidity of the Poms for being so easy tempted, Norm Kohlberger, regional product manager, Asia-Pacific, Symantec, has more than a few examples to quote of similar slackness right here in Australia.
"Absolutely. We have found within a lot of organisations that people used the same password for multiple applications. Also, about 60 percent of those people either never change their password/s or only change them once annually, unless they are forced to."Kohlberger says that one of the main stumbling blocks to adequate password security within organisations is the average worker's perception of their password.
"People have become lackadaisical in the sense that they seem to forget that a password is a virtual lock for personal information, and it deserves the same respect that you would give an anti-virus program, a firewall program, or your bank account PIN, because you are effectively locking up your personal information." After all, you wouldn't go sharing your bank account PIN with all and sundry in exchange for a Dairy Milk or a Moro bar, would you?
The other thing, says Kohlberger, is that most people have a tendency to forget all about their password protection once they have completed the initial set-up.
"It's something that has to be monitored on a continual basis. What we are also finding is that people are using passwords that are not special enough, such as birthdates and common family names."
That's not to say that people shouldn't have passwords they can easily remember, but rather they don't choose something that someone else can easily guess, such as their pet's name or favourite footy team.
"Where the passwords are kept needs to be encrypted, and there has to be a way of backing up the data, as no-one likes to lose all their passwords," adds Kohlberger.A few simple steps maybe, but those steps are largely ignored in the workplace at the moment. Who knows, maybe after reading this, less people will jot their passwords on scraps of paper they then leave lying in their desks; fewer people will use the word 'password' as their password, and less still will surrender their password to a stranger in the street for some chocolate!
Related Article: