Tuesday, November 19, 2013

Open Letter to IT Departments: People are Important to Your Security Plan.

Read a Dark Reading article this morning that I really enjoyed. First of all, any article on information security that can work in the zombie apocalypse is A-OK in my book. Nicely done, Glenn Phillips.

employee training, security awareness training, information security
And you know, the comparison works surprisingly well. Way too many businesses focus on just a few security dangers (for example, amassing weapons to blow away those pesky zombies) without addressing the whole picture of security (forgetting to stockpile water so you don’t…well…die).

Another problem? Letting an IT team dictate what works and what doesn’t without really considering what Phillips calls “the human component.”

I especially identified with Phillips’ example of the IT department requiring new impossible-to-remember password every 60 days. I’ve worked in places like that, where IT made those sorts of demands with a sort-of “Do it or else” attitude. This was ineffective. Those demands were usually 1) ignored and 2) laughed at.

Thursday, November 14, 2013

Oh, the Humanity! Train Employees to Say "No" to Social Engineers

Let’s set the scene for the third social engineering tale in our story series “Oh, the Humanity.” A Fortune 100 company asked us to test their defenses against pretext calling, email phishing, and physical security. The best part? They pretty much just gave us carte blanche and asked us to figure out how a social engineer would develop an attack.

After making a few phone calls and obtaining a few seemingly innocuous pieces of information (we call them “building blocks”), we decided to make an attempt to obtain VPN access to their network. Through their audit, we had already obtained the Cisco VPN client and had numerous usernames and passwords. All we needed was a host name.

Tuesday, November 12, 2013

When Identity Theft Hits Home

My office was quieter than usual when my cell phone buzzed. It was my mother. While it was no surprise for her to call, a mid-morning Thursday call was unusual.

"Hey, Mom. How's it going?"

"Well…" she said, voice cracking. "Not too good."

Tuesday, November 5, 2013

Oh, The Humanity! Another Pretexting Success Story.

And welcome back to our social engineering success story series: "Oh, The Humanity!" Storytelling can be a very effective tool in the fight to raise awareness about information security and effective training—and our firsthand experience with pretexting, phishing, proximity attacks, and more have provided us with ample ammunition. And now, on to our next story...

A while back, a large and pretty well known financial institution (name changed to protect the innocent) hired us to measure whether or not their call center was properly safeguarding the sensitive information in its customer accounts.

Here were the ground rules:

Rule #1: We only called on test accounts, or fake customers placed in the system by the company for penetration testing purposes only. This precaution was for everyone’s security.

Rule #2: We were only provided with the most basic fake-customer information: name and address. These pieces of information pretty well represent what a social engineer can get publicly on the Internet.