On a flight on Monday, I started reading Kevin Mitnick’s latest book, “Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker,” I’m not done yet, but it is a very interesting book. A couple of lines struck me in one of the chapters, in which Mitnick had just used social engineering to fool someone at the phone company to get some valuable information:
“Why was the lady in Line Assignment so willing to answer all my questions? Simply because I gave her one right answer and asked the right questions, using the right lingo. So don’t go thinking that the Pacific Bell clerk who gave me Eric’s address was foolish or slow-witted. People in offices ordinarily give others the benefit of the doubt when the request appears to be authentic.
“People, as I had learned at a very young age, are just too trusting.”
The book is full of examples of trust breaking the best intentions of a security program, and it also brought to mind the attack on Mat Honan that I mentioned last week.
Don’t like the rules? Find a way around them.
You see, a lot of the things we recognize as “best practices” – strong passwords, access controls, security questions, etc. can sometimes be bypassed with convincing performances by a savvy attacker. This is a huge problem, particularly when we rely on single-factor authentication (something you know) without requiring other factors (such as something you have, or something you are). But, of course, we do a lot of this for our own convenience because we know that humans are like liquids – they seek the lowest point and avoid anything that introduces friction into their lives.
To further riff on Shawna Turner-Rice’s last post about “securing the human” we need to keep in mind how humans can be exploited to bypass our technical controls. We can mitigate some of this with a combination of policies, procedures, technical controls (like access controls, network segmentation, and the like) but it is really tough to take humans out of the loop. In fact, we need them in the loop – but we need to make it less likely that they can cripple our businesses if they act on human nature or human “frailties” such as trust.
Practice strengthens skills
This is why I’m such a fan of regular reviews of controls, live ‘drills’ and other activities that help people develop a better sense of when someone is trying to pull the wool over their eyes. It is also why I am a huge fan of automated, objective controls that look for suspicious changes in access, permissions, configurations, etc. to make sure anomalies can be detected quickly when humans mess up.
By the way – for a very interesting and enlightening listen, check out Mat Honan’s attack deconstructed on “Security Now” with Steve Gibson. The good news is that Apple and Amazon (both of whom played parts in Honan’s compromise) have both responded quickly to improve their account security practices. The bad news, as mentioned in the Security Now podcast is that the same guys who messed with Mat Honan know how to do the same thing with other online service providers.
As one of my favorite sayings tells us, “Trust is not a control, and hope is not a strategy.” Time for us (collectively) to review our own policies and practices, and up our game on securing our humans.