January 2007
            
 
Micro Visions News

Breaking News
We are pleased to announce that our own Julie Lough has been chosen as the AWE Woman of the Year 2006 and is also as a finalist for the Grand Rapids Business Journal's Top Women Owned Businesses for 2007. Congratulations Julie!

Value of Research
Every once in a while we all learn the hard way. When it comes to technology no one is immune to making a choice that has consequences ( see our December 2006 issue, Life on the Edge ). If you would like help in choosing the right technology for your business call Micro Visions at 776-0400.

We Can Help - Anytime
System crashes and the "Fatal Error" messages are never convenient, but when it happens at 8pm or on Sunday afternoon its especially frustrating. For those after- hours and weekend occurrences Micro Visions offers 24/7 emergency service. To reach a Systems Engineer after hours call 616-776-0400 leave a message, and then call our pager at 616-230-1620.

Quote of the Month
"Technology does not drive change - it enables change. " -Source Unknown

 
 
 
 

Micro Visions, Inc.
262 Leonard Street NW
Suite 2
Grand Rapids, MI 49504

Phone: 616-776-0400
Fax: 616-776-2596
E-mail: info@microvisionsinc.com

www.microvisionsinc.com
Social Engineering
By: Rob Lough

Much has been said regarding information technology (IT) systems security. Much has been done from the hardware/software side to thwart hackers and otherwise protect your corporate data and to prevent your system from being used for nefarious purposes. We have been inundated with anti-virus, firewalls, passwords, and the like, all designed to effectively prevent the occurrence of something very bad for your business.

With all of the progress that has been made in preventing criminals from breaking into your IT systems, many of these delinquents no longer bother expending the effort trying to hack in. They simply trick someone into giving them a password, for example, or coercing someone to give them access to your network. Even with a virtual fortress built around your corporate IT infrastructure, you are left with the prospect of "social engineering," a term that has been coined to describe this process of exploiting the human link in your corporate security chain.

The following is excerpted from an article by Sarah Granger, posted on http://www.securityfocus.com:

"One morning a few years back, a group of strangers walked into a large shipping firm and walked out with access to the firm's entire corporate network. How did they do it? By obtaining small amounts of access, bit by bit, from a number of different employees in that firm. First, they did research about the company for two days before even attempting to set foot on the premises. For example, they learned key employees' names by calling HR. Next, they pretended to lose their key to the front door, and a man let them in. Then they "lost" their identity badges when entering the third floor secured area, smiled, and a friendly employee opened the door for them.

The strangers knew the CFO was out of town, so they were able to enter his office and obtain financial data off his unlocked computer. They dug through the corporate trash, finding all kinds of useful documents. They asked a janitor for a garbage pail in which to place their contents and carried all of this data out of the building in their hands. The strangers had studied the CFO's voice, so they were able to phone, pretending to be the CFO, in a rush, desperately in need of his network password. From there, they used regular technical hacking tools to gain super-user access into the system.

In this case, the strangers were network consultants performing a security audit for the CFO without any other employees' knowledge. They were never given any privileged information from the CFO but were able to obtain all the access they wanted through social engineering. (This story was recounted by Kapil Raina, currently a security expert at Verisign and co-author of mCommerce Security: A Beginner's Guide , based on an actual workplace experience with a previous employer.)

  Consider the vulnerabilities in your own organization for social engineering. What if a new employee is intimidated by a caller she thinks is an executive in your own company, and she gives up a password? What if someone claiming to be an employee forgot his key and is let into the building as a courtesy? What if somebody in HR is called from her desk for a moment, her computer still logged in to the network, giving somebody else enough time to take a quick look at payroll? How do you prevent social engineering without turning your entire company into a bunch of mean, distrustful, paranoid cynics? Give Micro Visions a call at 616-776-0400 and let's discuss how you can shore up the human link in your corporate network without ruining your corporate culture.

 
 
 

© 2004-2007 Micro Visions Inc. All Rights Reserved.

The Vision e-mail newsletter may be copied and distributed as long as acknowledgement and copyrights are included.

PRIVACY POLICY: Micro Visions' e-mail list is not sold or provided to any third parties for any reason.

Click here to unsubscribe to the MVI Newsletter.