|laziness, impatience, and hubris|
Re: Security: Technology vs Social Engineeringby phydeauxarff (Priest)
|on Jul 24, 2003 at 01:55 UTC||Need Help??|
I actually had a much worse experience about 10 years ago that drove home the importance of thinking through the human factor in security.
After paying (big huge phone company who makes really expensive switches that I won't mention by name because I don't want to get sued) to implement a large switching system for our call center, everything was great until I got a page on a Sunday afternoon because our switch was pretty unhappy about a sudden spike in call volume.
After driving in to see what was going on, I realize a bunch of calls routing from New York to all sorts of places on the planet via our 800 number for tech support.
After killing the entire New York and New Jersey area codes since we had no customers in that area, I heard the phone ring in our call center and heard the tech say, "it's that guy from the phone company again, what do you want me to tell him."...phone company? I thought...and had the call transfered to me.
After answering the call I hear, "Hi this is Rick with (really big phone company who put in my switch) and we are testing the lines on your system...could you transfer me to 910 so I can run a test?"
It turns our techs had been dutifully transfering what they believed to be phone company employees to 9, outside line and then 1 0 for an international operater...great...that explains the $2k phone bill I now had to talk to our CFO about...
Of course, my point is this.....we locked the system down pretty good (or so we thought at the time) but no security implementation can every fully take into account the kid who will hold the back door open as he comes in from his smoke break for the guy who is about to steal all your laptops ...you can try to implement whatever you want but to overcome the human factor you have to keep the awareness level high by communicating openly with your employees and making them part of, and accountable for your security processes.