Skip to content ↓ | Skip to navigation ↓

I’ve been involved in a lot of discussions over the past few months about “securing the human” with regard to information security.  As I mentioned last week, I’ve been reading Kevin Mitnick’s book, “Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker,” which I just finished and I highly recommend.

In the book, it was clear that Kevin had decent technical skills but wasn’t the most brilliant coder, the best infosec architect, or anything like that.  He was extremely successful because he was extremely good at social engineering.  Sure, he exploited technical flaws, but most of his attacks succeeded because he was able to exploit weaknesses in people to gain access to the systems and data he wanted.

A long time ago, I used to experiment with getting into places just for fun.  At the time, I didn’t know there was a name for it – I hadn’t heard of social engineering.  One of the most effective “tricks” I found was to dress in a way that blended in with other people in the environment, and to pick up a clipboard with some papers and a pen on it.  I’d then walk confidently wherever I wanted to go.  Often, I’d go through hotels, conferences,  convention centers, movie theaters, restaurant kitchens, etc. and just look around to see how far I could get before people challenged me.  You’d be surprised at how well it worked – I know I was.

I used to say that “a clipboard and a confident attitude will get you into most places.”  That’s true for physical access, but what about electronic access?  I’d say it’s harder in some ways because there are passwords, policy checks, etc. but what I recognized from reading Kevin’s book is that a lot of organizations overlook the linkage between the human and electronic infrastructure.  Sure, we do a lot to try to establish and enforce good password policies, etc. but if people can trick someone into sharing their complex password over the phone it’s “game over.”

How do you teach paranoia and suspicion?  We often hire people because of their willingness to help others, their good communication skills, their ability to be responsive, etc. which means we are hiring “vulnerable” people who conscientiously use their “vulnerabilities” for good.  Do you think it’s any coincidence that so many information security people have difficult UI’s?  I don’t – part of a security mind set means questioning the status quo and being willing to confront others.

As we work through securing our humans, we need to strike a balance – trust but verify, assist but not unquestioningly, etc.  I’d love to hear from others about their play books for securing humans, especially any techniques to help balance helpfulness with suspicion.

After all, we don’t want just anyone with a clipboard to gain access to our infrastructure.

Tripwire University
  • adammontville

    Dwayne, nice post. Securing the human seems to speak to a larger societal issue, and rather than teach paranoia and suspicion, I would prefer to improve critical thinking skills (I don't want paranoid security folk protecting my data). I would assert that, in general (in the US), the average level of critical thinking skills has decreased right along with our scientific decline (it could be argued that scientific methods are pretty much the embodiment of critical thinking). We need to shape security people to have better UI's (I like that, by the way) in the respect that they need to be "paranoid and suspicious" in a more scientific, data-backed way. I don't know what to do to teach "non-security humans" critical thinking, but we can start with what we do know about the much smaller set of "security humans."

    • Good points, Adam – I don't necessarily want to "teach paranoia and suspicion" but I want to find ways to get people to pay attention in a different way, if that makes sense. Critical thinking is a key part of this in that it helps people move beyond 'face value' interpretations of data. I agree that it is tough to teach – I think drills, training, scenario-based learning, etc. can help but I haven't found a silver bullet that works well for larger populations of users.