Fish tempted by fishing hookAs technical security improves, human security vulnerabilities are increasingly in the bulls-eye.  For a fresh look at social engineering, and how best to defend against it, there’s no better source than a hacker.  So, I reached out to Cliff Smith, Ethical Hacker & CISSP at Parameter Security, for his take on the current social engineering battleground.  Here’s what he shared:

Confidence games have been around forever.  Is there anything fundamentally different about social engineering practiced by hackers?

Modern social engineering is no different than the classic con games.  They all run on information, trust, and emotions.  The biggest change in the past 20 years or so is that technology makes the attacker’s job much easier, for several reasons.  First, a skilled practitioner can use countless tactics to make their first contact appear more legitimate, such as spoofing a message’s source or creating a legitimate-looking website.  Second, the average user operates on autopilot much of the time when using their phones or computers.  It’s so easy, for example, to click on a link without stopping to think about the danger, which makes phishing attacks much more likely to succeed.  Third, technology makes the consequences of social engineering much more dire.  In just a few clicks, you can accidentally ruin your financial life, or someone else’s.

It’s commonly understood that phishing is a problem, and that phishing is a deceptive email with a malicious link.  Is it that simple, or are there other social engineering attacks to be concerned about?
Continue Reading If you teach a man to phish …

Ignorant DoctorIf you had a choice between doctors to perform surgery on you, which would you pick:  a doctor who has sat through training on how to perform an appendectomy; or assurance that your doctor will successfully perform your appendectomy?

The answer seems obvious, but on the topic of dealing effectively with human vulnerabilities in cybersecurity, most of us seem satisfied with “awareness training.”  It’s a check-the-box response to regulatory compliance or client demands.   Sign everyone up for an on-line phishing exercise and you’re done.  Yet the consequences of ineffective training can be dire.  You will most certainly lose productivity, you’ll probably lose money, and you may lose the company.

This is not to say that awareness is unimportant.  But raising awareness is just the first step in effective cybersecurity defense.  Employees—and management—must come to understand why and how security incidents occur and learn how to recognize and guard against them.  In other words, you must develop assurance that everyone in your organization is equipped to protect the company and its assets.
Continue Reading How to gain assurance against human security vulnerabilities