UNIVERSITY OF WALES NEWPORT

MSc. Computing

COM PUT ER NET WO RK

(CS C13 07)

REFLECTIVE ESSAY
ON

THE ART OF DECEPTION

(Controlling the Human Element of Security)
Kelvin D. Mitnick & William L. Simon
Writt en By

Ibrahim Abaker Targio

DATE SUBMITTED: May 11, 2009

RECEIVED BY: Mr. Christopher Lim (Course Lecturer)
INTRODUCTION
How fragile can an organization be? This was a question that was put to me sometimes ago by
one of my advanced colleagues. It sounded funny and confusing. Is an organization really
fragile? If so, in what context is it fragile? These are questions I kept asking myself until recently
when I took my Masters course in Science Computing. During the course of my Masters of
Science Computing programme, I was thought about Network and organizational Security, and
as the course went detailed, I finally found answers to my long puzzled questions.

Of course an organization might be truly fragile in the context of security by not having the
necessary and right security policies to guide the operations of the organization. Perhaps having
an ignorant perception that nobody is interested about how an organization is run and managed.
Of a truth, no matter how small an organization maybe, there is someone or people out there that
envies and perhaps jealousies how successful the organization is. If given the opportunity, this
person or set of people wants to bring the company down or take it out of business. These sets of
people are what Kelvin D. Mitnick and William L. Simon (2002), called Social Engineers.

Kelvin D. Mitnick and William L. Simon authored the book “The Art of Deception: Controlling
the Human Element of Security”. During the course of my Masters Programme I was fortunate to
read this eye-opening and interesting work piece. A well detailed and analytical explanation is
give about the profession called Social Engineering and those that are involved in the practice,
while and how they carry out their operations. In this book, Kelvin D. Mitnick and William L.
Simon (2002, p.3) narrowed down to the fact that “Humans are security’s weakest link”

MY INITIAL UNDERSTANDING OF ORGANIZATIONAL SECURITY

To me all that matters was the hardware infrastructure, as a matter of fact I so-much admired any
organization that parades the very latest and sophisticated Network hardware infrastructures such
as Intrusion Detection Systems, Intrusion Prevention Systems, Firewalls, Routers Switches, etc.
and having the very best competent hands that manages them. It sound so much to me that the
security of such system is very tight.

It is so amazing for me to now understand that I was only seeing security from only one angle,
which is the infrastructural angle, and leaving the human loop-hole or weakness behind.

MY EXPERIENCE

Prior to my learning about Network Security, I had never thought that there are people out there
who could illegally gain access to organizational network by using some tricky ways to deceive
people or employees to get what they needed. When I was working as a trainer in Capital
Hospital in my country, I found out that most of the employees do not have a comprehensive
knowledge about how to fully operate a computer. One of the Secretaries of the Chief Medical
Consultant had the responsibility to keep some sensitive medical data, not to give it to anybody
who does not have permission to access it, but because she was not well trained about the
confidentiality of corporate documents and systems, she simply asked for my assistance to
change the password to her system. Knowing that I definitely do not have the permission to
logon into her system, I demanded her to give me her current password, as well as the new
password she wanted to use for the system. I was glad to render this assistance to her without
having any ulterior motive. By this time I had never heard of the word Social Engineering nor
Social Engineer, not to talk of how they operate. It is so obvious that if this assistance was
rendered by a Social Engineer then a big security loop-hole would have been left for him to
strike from a remote location, well this is on the condition that he has a particular interest in the
organization.

MY UNDERSTANDING AS I READ THE BOOK

Social Engineering is defined as an act of tricking a person to get sensitive information rather
than breaking into a system. Kevin D. Mitnick used to be a social engineer and in his book he
describe in detail the ways that social engineers can quickly gain trust and then extract
increasingly valuable information out of company employees, usually over the phone or some
piece of papers that is throw away by some employees .

Social Engineers see the weakness in employee, and this is the wiliness of people or employees
to render help or assistance to their fellow employee without adequate confirmation of the so-
called fellow employee’s status. Even when it is well spelt out that a particular document or
information is classified or confidential, they use sympathy and assistance to give out this
information to the other unconfirmed person through a phone conversation. This is one of the
greatest weapons of the Social Engineer, and for many years it has proved successful.

I have come to realize that the nonchalance and “I don’t care” attitude nature of employees
towards their duty has really made Social Engineering attacks much more successful. For
instance, writing a systems password on the departmental notice board, on the monitor screen of
pasting it under the keyboard. This is truly a bad practice and must be stopped if truly the impact
of Social Engineers has to be avoided. Social Engineers are aware of all these weakness, and so
when they present themselves as legitimate personnel in an organization, they already know
where to look out to get the password they are looking for.

Most people know that they should not give out passwords to strangers, but they are not at all
concerned about giving out names, e-mail or telephone extensions to those same strangers. A
Social Engineering can use such seemingly harmless bit of information to gain the trust of
another employee at the same company or organization, and then use this piece of this
information to pretend like he is one of them, until employees are handing out sensitive
information to a total stranger over the phone simply because he sounds like one of them.
It takes more than just having the latest and sophisticated network infrastructure to stop a Social
Engineer, instead additional emphasizes should be placed on the vulnerability of Human
weakness when it comes to security issues and hence spell out adequate and functional policies
to take care of this human-loop holes by enlightening and educating them about the existence of
Social Engineers and how they operate. When this is done then to a reasonable extent, an
organization can be sure of a reasonable level of security, bearing in mind that hundred percent
(100%) security can never be achieved.

The book is full of brief stories that serve to demonstrate how different types of social
engineering attack play out. I have to admit that, at first while I was reading the stories in this
book, I muttering to myself that there was no way that real employees would behave as
described, but the more I thought about it, the more examples I could think of in real life where
people had been more than obliging over the phone, despite not knowing me.

MY PRESENT VIEW ABOUT SECURITY

At this level I can say now that for an organizations security to be tight, a lot more that just
Network Security hardware’s are needed to secure the parameters of the organization. While
Network Security hardware’s secure the organizational hardware ends, Management Security
Policies should secure the human and man-powered end it security.

To this end it is my opinion that organizations should setup a body to look into issues related or
relating to Social Engineering and Social Engineering attacks. This body should be given the
autonomous power to draft out Management Security Policies that caters for the human
weakness. They should also be responsible for organizing, coordinating and carrying out training
and awareness as regards matters relating to Social Engineering and its likes. I recommend that
this autonomous body should address their duties to the following recommendation below:

• All members of management must agree to the policies and understand the need to
properly prove their identities when making requests for passwords, etc.
• The policies must be disseminated to all users of the network, with education and training
provided as to why compliance is essential.
• There should be explicitly defined consequences for violating the policies.
Your security policies should be specific and should address such issues as:
• Strong password policies: minimum length, complexity requirements, requirements to
change passwords at specified intervals, prohibition on dictionary words, easily guessed
numbers such as birthdates and social security numbers, etc., prohibitions on writing
down passwords.
• Prohibitions against disclosing passwords, to whom (if anyone) passwords can be
disclosed and under what circumstances, procedure to follow if someone requests
disclosure of passwords.
 • Requirement that users log off or use password protected screensavers when away from
the computer, cautionary instructions on ensuring that no one is watching when you type
in logon information, etc.
• Physical security measures to prevent visitors and outside contractors from accessing
systems to place key loggers, etc.
• Procedure for verifying identity of users to IT department and IT personnel to users
(secret PINs, callback procedures, etc.).
• Policies governing destruction (shredding, incineration, etc.) of paperwork, disks and
other media that hold information a hacker could use to breach security.
Windows Security (2009)
If all these points are fundamentally followed am quite optimistic that an organization should be
secure enough to avoid the successful strike of Social Engineers

REFERENCES

• Kelvin D, M, and William L, S, 2002, Art of Deception (Controlling the Human Element
of Security), 1st edn, Wiley Publishing Inc, Indianapolis, Indiana, USA.
• Windows Security 2009, How to defend against Social Engineers,. Viewed May 7, 2009
from; http://www.windowsecurity.com/articles/Social_Engineers.html
• Security Focus 2009, Common intrusion tactics and strategies for prevention, viewed
May 7, 2009 from; http://www.securityfocus.com/infocus/1533.