Home > Articles > Security > Network Security

  • Print
  • + Share This
Like this article? We recommend

It's All About Control

To be more exact, it's all about the two sides of control. Are you thinking that the two sides of control are the person being controlled and the person who's doing the controlling? Wrong. True control is deeper than that. The two dimensions of control involve the person who believes s/he's in control and the person who is actually in control.

An old proverb says "You can lead a horse to water but you can't make it drink." This isn't entirely true: You could make the horse drink if he believed he was the one bringing you to the water to get a drink. One of the best ways to make people do what you want is to make them believe that they have control the whole time. This makes people feel comfortable; they feel as if they're making the decisions and they lower their guard.

Let me give you an example from the real world.

I was auditing a client and wanted to get a closer look at their building, server room, and network infrastructure. I also needed some information about their outbound mail server. Now, calling up and just asking for such information isn't advised, although sometimes it works. Instead, I applied for a job. I actually put together and sent in a résumé that fit an open position in their IT department. They replied to me with a message along these lines: "Thank you for sending us your résumé. We will be in touch." By ripping apart the return email, I was able to determine information about their outbound mail gateway.

Next step was the interview. The position I applied for was in IT, so it wasn't out of the ordinary for me to ask all sorts of questions about the network, server, backups, and who the current administrators were. Learning the administrators' names gave me a potential attack vector on logins. I had all the information I was looking for—and more.

Question: Why would this company let a suspected hacker into their building? Why let him talk to their network administrative staff about the inner workings of their network?

Answer: They felt that they were in control the entire time. They called me, they asked me in, they were looking for someone with my skills, and they never suspected that I was only there to gather information.

  • + Share This
  • 🔖 Save To Your Account