Monday, November 26, 2007

Chapter 15

This chapter takes all of the lessons learned so far in the book and begins to tie them all together. The main point is that there is no technology out there that a manager can go out and purchase that will protect his/her company 100%. While Mitnick admits that technology can help to reduce your risk of becoming a victim to social engineering attacks, he suggests that the best way to protect yourself or your company is through a comprehensive training program. While this may seem obvious to most of us, I’m sure that there are plenty of business owners out there that feel secure because their company has passwords protecting their computers or have unlisted phone numbers to secure departments. The truth is that no technology is a match for the human brain and when the human brain is used to deceive others it is extremely hard to stop.

Testing is something else that Mitnick suggests to ensure that employees are on top of possible security breaches. I feel that this is the only way to ensure that employees are up to date and paying attention to the material which is being taught to them during the aforementioned training program. Like the MBA student who only bothers remembering something if it is going to be on the test, employees often are only concerned with what they will be evaluated on. By continuously testing employees on the proper security procedures, you will be able to see where the weak links in your organizations are and help them to improve. All it takes is for one employee to doze off during their security training to leave an opening for a social engineer. In my opinion testing will expose this and eliminate the threat.

3 comments:

smh04 said...

I think that having your employees read this book is probably one of the best ways to prevent social engineering attackts. Of course that isn't going to be quite enough. Testing is of the utmost importance as well, otherwise it is unlikely that they will remember everything that they've read.

jpthe1manparty said...

Using the example of testing for students. Do you feel that like students, employees will forget everything learned directly after the testing? How can we ensure that what is being tested is not only understood but retained over time?

Lindsey said...

I feel like testing or even having quarterly meetings to discuss new ways to protect against social engineers is a good idea. This type of information is not the type that you just memorize and forget right away.