Social engineering—an apologist’s way of not calling a thief’s actions for what it is—is like an onion, or a really fine tiramisu cake: there are layers. On the other hand, the consequences of social engineering are quite unpalatable and far-reaching, so it’s closer to the onion than the cake. Full disk encryption can help if you fall victim to social engineering, but only if your company is security conscious.
What’s prompting the above observation is this article at darkreading.com. A penetration testing expert has had a 100% success rate, in one instance walking out of a client’s site with their outbound mail—with customer information in every single one of the five hundred envelopes. What’s penetration testing? It’s when people are hired to penetrate the confines of a company, to see how to and where to patch up potential security holes. And since penetration testing is a proxy for social engineering con jobs, it can point out where a company should reinforce its security policies.
Social engineering’s layers can involve calling up someone within the company and finagling that person’s username and password for accessing the company’s internal network; i.e., any form of stealing from a distance. Or, it can take the form of physically going into the company, feigning authority, roaming around, etc. until something of value can be taken; it used to be known as a con job before the “engineers” took over. And when the stolen item is a digital device—a laptop, desktop, external hard drive, or even a PDA—it could result in a massive data breach.
Now, if one has hard drive encryption on those devices, the contents are protected. The theft does not mean there will be a data breach; the consequences are about as dire as having your TV swiped. But like I stated, data encryption is no panacea. The protection afforded by encryption solutions like AlertBoot can be easily trumped if the thief is able to get the encrypted devices’ passwords. How would a thief get those passwords? Generally, the same way he swiped the device, via social engineering. Or, he could hit the jackpot due to the lack of security consciousness in the workplace: the password could be stuck to the bottom of a laptop, for example.
There is no information security panacea; no one solution can give you total security, allowing you to forget about security in general. In many ways, information security is a lot like insurance. To begin with, most people have it because they don’t know what’s going to happen down the road—accidents happen. But more importantly, there’s no security solution that is absolutely foolproof just like there is no insurance product that is all?encompassing. For example, have home insurance? It most probably does not cover flooding damages. The answer is to sign up for both if you want encompassing coverage (and even then lawyers probably have put in all sorts of stipulations). Likewise, if you decide to deploy hard drive encryption company?wide, you must also ensure that employees understand the consequences of not practicing information security. So, next time don’t just think, “I need encryption” or “I need data security.” Think, “I need a security solution that will use encryption and support security practices.”