Wednesday, July 13, 2016

It's So Easy to Be Taken In

In other exciting news, Social Engineering attacks still work. Duh. But here's an illustrative example of it being done completely innocently. This is from another security worker-bee who was all on about why mobile and Bring Your Own Device (BYOD) was such a corporate threat.

Bogus Vatican Image
Bogus Vatican Image
That's a complicated topic, as evaluating risk always is, and is wide of the point that I want to make: the most effective possible social engineering attack comes from the innocent and mistakenly trusted. A very human failing, greatly magnified by transitive trust (friend-of-a-friend) issues. Which, make no mistake about it, we are all prone to. I might be particularly susceptible; because I am such an open, trusting sort of person.
Boris Karloff, The Mummy, 1932
Boris Karloff, The Mummy, 1932

The thing about that Saint Peter's Square image is that it was already in my database as bogus. Unlike the above Karloff image, which I only include because it was a cool old movie. Frivolity, thy name is Greg.

So how did I spot this unwitting social engineering attack? Chance. Striking images stick in the mind, and I happened to remember a source that really was in my DB: a Washington Post piece titled About those 2005 and 2013 photos of the crowds in St. Peter’s Square. There is no effective defense against social engineering attacks against a broad workforce, most of whom are just trying to live their lives.

If you do not assume that you will be hacked, you are Doing It Wrong. Worse, you are making that mistake in the face of a vast body of contrary evidence, and "Your security is important to us," PR is becoming widely ridiculed by both the security community, and more importantly, the public. Who are growing rather tired of the charade.

There are obvious things that can be done in beginning to address the problem. Most of them involve policy and standards, and the mechanisms for creating and enforcing them, or even (very doubtfully) convincing the workforce that their perfect performance is necessary. But these are, in the main, only available to larger organizations, where they work no better than they do at smaller scales.

As long as this sorry of affairs persists, the security industry will continue to fail, in an increasingly obvious manner.