The Desire to Help and Security
We are programmed with a desire to help others in need but this trait is one of the reasons that hackers are so successful infiltrating our networks as I mentioned in this post. This past week the Black Hat conference took place followed by DefCon (in its 25th year) – both cover the security landscape and feature plenty of insights into the attacks and ways of preventing attacks. The Key note at DefCon this year is focused on “Making Security work for everyone” featuring Alex Stamos the Chief Security Officer for Facebook. Last year I was lucky to be in the room during the Social Engineering Capture the Flag (SECTF) competition at DefCon24 when the winning participant was on the stage. This year I witnessed a similar success with the previous year’s runner up demonstrating masterful social engineering in the 20 minutes she had:
Each year players compete to extract information from a list of target companies over the phone simply by using clever subterfuge and social engineering skills. It was an eye opening experience to witness the ease with which a complete stranger was able to create a trusting relationship with an employee in the target company and extract a long list of information. You can read the details of the competition, targeted companies, and the information contestants were asked to gather here. The approach via social engineering is not the end game but is an entry point to carry out targeted attacks and is increasingly in use and even being automated. Artifical (or Augmented) Intelligence is being used in many areas and hacking is no exception – security companies are using AI to help automate protection but there is no reason why hackers won’t use the very same AI technology to improve and increase the number and sophistication of their attacks.
Security is Everyone’s Responsibility
The intent of the competition is to expose the risks and educate individuals and employees of the risks to them and their business. Investing in education for company security fulfills a corporate goal but is a bit like offering health insurance to employees – it gives them value as well. Not only are they better-equipped to protect the corporate assets and information but are better placed to protect their own personal assets, family, and personal finances. We don’t hear too much of the “Nigerian 419 Scam” – but that’s not because it is not being used or impacting people. As this chart shows from 2013 – they continue to increase reaching $12.7 Billion in 2013
We remain constantly under attack with variations of these approaches and new methods like phishing, vishing, and smishing (email targetted attack, voice targeted attack and SMS targetted attacks respectively). Security needs to be everyone’s responsibility and has to come from the very top of the organization and family. In my household, I invest a lot of time explaining these attack vectors and sharing the stories of individual and corporate failures and losses as a result of poor security. I never miss an opportunity to use examples from around me of why security matters and what you can do to mitigate it. The same should be true in any corporate environment – security needs to come from the board and CEO down. It can’t be an edict that applies just to employees while senior leadership is either ignoring or even bypassing the recommendations and training. Companies that had clear security guidelines and equipped their employees to deal with potential attacks performed better and had lower risks of being breached.
Incremental Improvements for Employees in Managing Security
The recent WannCry ransomware outbreak that was closely followed by the Petya that swept around the world and crippled many companies and services offered a window into future potential challenges and raised the awareness of security. Here are my suggestions for incremental improvements
- Make Security a Top Down Primary Focus for your organization
- Offer Training to your employees on Security Attacks and Mitigation
- Train and Encourage Everyone to Question Information Requests so they can Make Good Decisions
- Make Learning about Security Fun and Practical
- Help Everyone Understand the Value of Information in the Context of Security
- Consider Developing Simple Security Protocols that are Easy to Learn and Follow
- Test Your Security
Do you have any better suggestions? What small change have you seen that makes a difference to improve your employee’s behavior or in your personal life that improves your security posture? What one thing could we do that would have a big impact in this area?
This post previously appeared on ICD10 Monitor
You can also follow me here on medium, on twitter, or on facebook or Sign up to receive my posts each week