Exploiting everyday end-user behavior

And according to Contributor Editor Dan Tynan, typical IT administrators have no shortage of worrisome situations to ponder du...

And according to Contributor Editor Dan Tynan, typical IT administrators have
no shortage of worrisome situations to ponder during those long, sleepless
hours. Surprisingly, though, the culprit isnt necessarily faulty software or
hardware. Its often well-intentioned users, who may do something foolish like
set up an unauthorized Wi-Fi device at work or take a laptop home.
Those activities can compromise the entire network, especially if the user
falls victim to "social engineering" the art of manipulating people to get them
to do what you want. In the case of computer security, that involves getting
unwitting employees to divulge confidential information, leaving networks wide
open to attack.
The problem is more common than most IT pros realize. "If I were a white-collar
criminal, I wouldnt hack in over the network," says Steve Stasiukonis of
Secure Network Technologies. "Id use social engineering to get the password I
needed and get inside the firewall."
Stasiukonis isnt a criminal, of course; hes the founder of a company that
performs security assessments. I contacted him after reading his column on
Darkreading.com, where he described a clever social engineering experiment
(www. darkreading.com/document.asp?doc_id=95556). As part of a security audit
for a credit union, one member of Stasiukonis team wrote a Trojan that would
collect passwords and other data and e-mail them back to SNT. The team
installed the Trojan on 20 USB thumb drives and scattered them around the
credit union parking lot early one morning. Soon enough, folks picked them up,
plugged them in, and the passwords came rolling in. It was a trivial matter to
trawl the clients network and get other confidential data.
So much for a good nights sleep.
Where have all the Texans gone?
By Rodney Gedda, Computerworld Australia
Im constantly amazed at how much dead wood is left to accumulate within
corporate IT departments.
When people talk about "legacy" systems, what do they really mean? Is the term
"legacy" used as a convenient way to hide the organizations past inaction?
We all know that IT is a dynamic industry, so how on earth do IT shops end up
with systems they can no longer get tape for and software thats long past its
expiry date running central business systems?
In most other industries, managements accept the fact that operational
infrastructure needs to be constantly refreshed to avoid the risk and expense
inherent with forklift upgrades. Transport companies update trucks,
manufacturers update machinery, telcos update network infrastructure, and
hospitals update medical equipment, but, heaven forbid, how dare we proactively
refresh core information management systems to avoid being stranded with a
paperweight that just happens to house all our business data?
It just doesnt make sense. To all those organizations with an archaic black
box that pre-dates human-readable code: seriously consider doing a pilot
project to make the move. There is clear evidence that modern computer systems
are up to the task of automating mission-critical processes, and whats more
encouraging, is todays systems seem to be much less likely to leave users in
the "legacy" quagmire generated from yesteryears approach of one system per
Dont be afraid to take a chainsaw to your legacy systems, because sooner or
later youll have to, and its better for you to start the engine than to be
told to start cutting with a dead-cold machine. Fire up the chainsaw every few
years, thats my motto.
With that approach, whether your modern IT systems are in-house, hosted,
commercial, or open source becomes academic.
Shark Tank stories
By Sharky, Computerworld (US)
Right on schedule
Pilot fish is vetting scheduling software and sets up a demo with the vendor
whose product looks the most promising. But to his surprise, a week before the
appointment, the vendors rep shows up. Its a simple mistake; the rep misread
his appointment calendar. But since Im here, can I do the demo anyhow? he
asks. "I told him its fine with me," says fish, "but I dont know how to
explain to my co-workers that a vendor selling scheduling software showed up a
week early. He smiled, apologized and showed up the next week as scheduled."
User complains that shes not receiving some really important e-mails from the
HR group, which is recruiting a new employee for the marketing department.
"Even asking one of her co-workers to forward the HR e-mail had failed," says
fish. "But when I looked in her deleted-items folder, I found all the missing
e-mail. The user had created a rule to automatically delete spam with words
like Viagra and Cialis in the subject line. The HR e-mail had the subject
Internal Job Opening: Marketing Specialist. "
That doesnt help
Frantic vice president calls IT manager pilot fish hes trying to save a
presentation from the network to a USB thumb drive for a ready-to-start board
meeting, and nothings working. It doesnt take fish long to find out why. "The
thumb drive is jammed into the network port," reports fish. "I unplug it, put
it into the USB slot, then plug the network cable back in, and the presentation
is downloaded in seconds and stored. When I ask why the VP put the USB drive
into the Ethernet port, he responds that he wanted to download the file from
the network, so he put the key into the network port to speed up the process."

Exploiting everyday end-user behavior worrisome znepokojující
ponder dumat, přemýšlet, hloubat
culprit viník, pachatel
well-intentioned dobře míněný, s dobrými úmysly
unwitting náhodný, nevědomý
divulge vyzradit, prozradit
trawl ulovit
Where have all the Texans gone? dead wood soušové dříví inaction nečinnost
inherent with patřící k, neodmyslitelný od
be stranded být na holičkách, uvíznout
quagmire bažina, močál chainsaw motorová pila
Shark Tank stories
vetting vyhodnocení, vyhodnocuje
rule pravidlo
frantic zoufalý
jammed zablokovaný, zaseklý
speed up urychlit
Zveřejněné zprávy v původním znění prošly redakční úpravou a byly vybrány z
celosvětových informačních zdrojů vydavatelství IDG. Texty jsou určeny všem
zájemcům o zdokonalování se v odborné angličtině. Sestavil: pat(pat) 6 1105

K tomuto článku není připojena žádná diskuze, nebo byla zakázána.