Are Deceptive Pen Testing Methods Always the Wrong Way to Go?

It’s been interesting to watch all the articles and stories fly about the Army phishing attack carried out by an internal commander, and which was finally shut down last week.

Words like “panic,” disaster,” and “terrible’ and “irresponsible” are being thrown around like confetti.

Do I agree with the commanding officer’s decision to take matters into his own hands? No. He was one man acting on his own intuition, rather than one part of a concerted effort with proper executive notification. In an organization as large as the US military, no test should be completed without a lot of feedback and forethought.

It was also unfair to include the Thrift Savings Plan in an attack they knew nothing about—and then leave them to clean up the messy backlash.

But let’s get to the brass tacks here: we can’t necessarily call the commander’s actions “irresponsible” just because some folks got panicked or felt like guinea pigs.

Oh the Humanity: The Problem with Security Policy

Everybody talks about people using easy passwords. For example, using the same password forever and adding a 2. ‘Password.’ ‘12345.’ We all joke about it (even though it’s no laughing matter).

In the past decade, we’ve had the unique opportunity to see long lists of actual passwords through penetration tests for large companies. Now, initially, I didn’t know this was unique. I mean, everyone talks about what passwords people use, but honestly, nobody really knows. They are private, after all, and sometimes encrypted. Even though we all think we already know, it’s still eye opening to see what real people use for their passwords. And, as in the case of one particular job, those passwords are not always what you expect.

Wasted Energy: How Info Purges and a Third-Party Test Could Have Helped the DOE

There’s been a lot of online chatter this week about last summer’s Department of Energy breach—and rightly so. 150,000 affected employees is nothing to sneeze at. The worst part? All the affected employees may not even know yet.

The Real Cost of Data Breach Cleanup

In our experience, there is not a deep enough respect in the market for how difficult and expensive the notification requirements for data breaches can be. Not only can this cause public embarrassment, but it can also put the organization at serious legal and financial risk. Many organizations are mostly worried mostly about the intrinsic dangers of losing the actual data but do not demonstrate fear or motivation to invest in preventing the process of notification and remediation.

Oh, The Humanity! Another Pretexting Success Story.

And welcome back to our social engineering success story series: "Oh, The Humanity!" Storytelling can be a very effective tool in the fight to raise awareness about information security and effective training—and our firsthand experience with pretexting, phishing, proximity attacks, and more have provided us with ample ammunition. And now, on to our next story...

A while back, a large and pretty well known financial institution (name changed to protect the innocent) hired us to measure whether or not their call center was properly safeguarding the sensitive information in its customer accounts.

Here were the ground rules:

Rule #1: We only called on test accounts, or fake customers placed in the system by the company for penetration testing purposes only. This precaution was for everyone’s security.

Rule #2: We were only provided with the most basic fake-customer information: name and address. These pieces of information pretty well represent what a social engineer can get publicly on the Internet.

So What Does the Dropbox Hack Mean for You?

So, a couple of months ago, two developers decided to hack Dropbox. Just because. You know what this world needs less of? VOLUNTEER hackers.