It’s time to patch our human firewall

In light of a recent article on IT Governance blog entitled “What exactly is Social Engineering?”, I’d like to take a step back and explore what precedes a successful social engineering attack.

I recently asked an expert in social engineering, deception and negotiation the following question:

Would you say that underpinning social engineering would be a process of reconnaissance, perhaps using social media?

She responded:

Almost always these days, Stu!

Many articles focus on the attack methods that ultimately give rise to a breach but neglect to mention the single most important aspect of these successful breaches: reconnaissance.

The importance of reconnaissance

Thanks to social media and technological advances in software analysis tools, it is now possible for an adversary to fully ingratiate themselves within the lifeblood of your organisation without ever having to penetrate the perimeter fence.

We’ve all heard the old adage ‘A chain is only as strong as its weakest link’ applied to information security with the addendum ‘and that would be the human link’.

This has never been more true.

A recent security survey revealed that 31% of all information security incidents were employee–related. This statistic includes the nefarious actor, as well as the reckless and duped. Regardless, the fact remains that employees are a juicy attack vector for the miscreant, and, if the weakness comes in human form, it can render the technical controls in place moot.

Social media is the predominant vector through which criminals can take advantage of this weakness.

There are now open-source tools available to scrape all social media accounts connected with an individual, plus their relationships with others, and a veritable smorgasbord of interesting data, all presented in easily digestible forms.

There is proprietary software that will pick up all geo-tagged social media emanating from a given location.

This is all before we even consider such websites as LinkedIn, which are plagued with fake accounts targeting even those from the security industry – with some success, I might add – aided and given legitimacy by those too lazy to check the work claimed by those they are endorsing. Some fake accounts have been given private information, job offers, critical data and even speaking invitations.

Gathering information

Aside from the social engineering angle of social media, there is also simple information gathering. I’m not talking about things that fall under data protection, but information that is innocuous sounding and highly useful to an adversary: who is on holiday, which department is over-stretched, which employee is disgruntled and why, and so on.

And don’t think for a moment that your IT department is immune.

I’ve seen examples of IT administrators posting detailed technical information on forums looking for help, tweeting about upgrades, patching, internal problems, and even about ongoing hacking attacks.

All exquisite morsels for the cyber villain.

You might be thinking, what does this have to do with my little organisation? No criminal will expend so much targeted effort on us.

Think again.

Are you a subcontractor, consultant or supplier in a trusted relationship with a larger organisation? Then you are a potential target. Even more so if that trust relationship incorporates IT.

The same survey mentioned above has this to say:

“A growing number of respondents attribute incidents to third parties with trusted access to networks and data”.

Your organisation might just be the perfect entry point en route to the bigger fish. You might be the ideal point from which to progress, using existing trust relationships, onwards and upwards through the chain.

What can we do? OPSEC!

We can take a leaf out of the intelligence/military community handbook and incorporate operational security (OPSEC). Now, before you think I’ve gone all James Bond on you, stay with me.

The Wiki page on OPSEC is not particularly informative, but I very much liked this:

OPSEC is the process of protecting little pieces of data that could be grouped together to give the bigger picture.

We don’t necessarily have to go full-on spook tradecraft, but some awareness will not go amiss. We must inculcate an operational security mind-set that is in place outside the confines of the organisational walls; after all, the adversary will certainly not limit themselves in this manner.

We have to create an OPSEC ‘mindfulness’, if you will, that will be in the employees’ subconscious even in their free time, operating upon them as they tap away on their preferred social media platform. We must create an understanding that each piece of internal and private corporate information shared online can be pieced together by an adversary to give them a clearer picture and, ultimately, ease their job of discovering attack vectors.

We need employees to have their awareness heightened to the threat environment so that an automatic ‘gut check’ kicks in whenever they’re talking about the business online.

Sadly, it is far beyond the remit of this short piece to explore the best way to achieve this, but I will leave you with this final thought that I have again lifted from the survey, which nicely sums up where I wanted to go with this:

“Another worrisome finding is a diminished commitment to employee training and awareness programmes.”

And herein lies both the problem and the solution.

It’s time to patch our human firewall.