I’ve been involved in a lot of discussions over the past few months about “securing the human” with regard to information security. As I mentioned last week, I’ve been reading Kevin Mitnick’s book, “Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker,” which I just finished and I highly recommend.
In the book, it was clear that Kevin had decent technical skills but wasn’t the most brilliant coder, the best infosec architect, or anything like that. He was extremely successful because he was extremely good at social engineering. Sure, he exploited technical flaws, but most of his attacks succeeded because he was able to exploit weaknesses in people to gain access to the systems and data he wanted.
A long time ago, I used to experiment with getting into places just for fun. At the time, I didn’t know there was a name for it – I hadn’t heard of social engineering. One of the most effective “tricks” I found was to dress in a way that blended in with other people in the environment, and to pick up a clipboard with some papers and a pen on it. I’d then walk confidently wherever I wanted to go. Often, I’d go through hotels, conferences, convention centers, movie theaters, restaurant kitchens, etc. and just look around to see how far I could get before people challenged me. You’d be surprised at how well it worked – I know I was.
I used to say that “a clipboard and a confident attitude will get you into most places.” That’s true for physical access, but what about electronic access? I’d say it’s harder in some ways because there are passwords, policy checks, etc. but what I recognized from reading Kevin’s book is that a lot of organizations overlook the linkage between the human and electronic infrastructure. Sure, we do a lot to try to establish and enforce good password policies, etc. but if people can trick someone into sharing their complex password over the phone it’s “game over.”
How do you teach paranoia and suspicion? We often hire people because of their willingness to help others, their good communication skills, their ability to be responsive, etc. which means we are hiring “vulnerable” people who conscientiously use their “vulnerabilities” for good. Do you think it’s any coincidence that so many information security people have difficult UI’s? I don’t – part of a security mind set means questioning the status quo and being willing to confront others.
As we work through securing our humans, we need to strike a balance – trust but verify, assist but not unquestioningly, etc. I’d love to hear from others about their play books for securing humans, especially any techniques to help balance helpfulness with suspicion.
After all, we don’t want just anyone with a clipboard to gain access to our infrastructure.