|Bogus Vatican Image|
|Boris Karloff, The Mummy, 1932|
So how did I spot this unwitting social engineering attack? Chance. Striking images stick in the mind, and I happened to remember a source that really was in my DB: a Washington Post piece titled About those 2005 and 2013 photos of the crowds in St. Peter’s Square. There is no effective defense against social engineering attacks against a broad workforce, most of whom are just trying to live their lives.
If you do not assume that you will be hacked, you are Doing It Wrong. Worse, you are making that mistake in the face of a vast body of contrary evidence, and "Your security is important to us," PR is becoming widely ridiculed by both the security community, and more importantly, the public. Who are growing rather tired of the charade.
There are obvious things that can be done in beginning to address the problem. Most of them involve policy and standards, and the mechanisms for creating and enforcing them, or even (very doubtfully) convincing the workforce that their perfect performance is necessary. But these are, in the main, only available to larger organizations, where they work no better than they do at smaller scales.
As long as this sorry of affairs persists, the security industry will continue to fail, in an increasingly obvious manner.