Did your company suffer through the "Here you have'' virus, as it is now being called? It was one of the few exciting security events to happen to us guys in a number of years.
Good news: these inconveniences are becoming fewer and farther between as our technological defenses are getting better and smarter.
Bad news: we still are relying on the human element as the last bastion of protecting ourselves against basic attacks like this.
Worse news: even at the human level, the reason that many attacks don't make it is because the attackers are still seemingly unable to both spellcheck and put proper punctuation in sentences...the dead giveway to a bogus e-mail....still.
Look at an excerpt from the 'Here you have' example:
"This is The Document I told you about,you can find it Here."
See the mistakes? Capitalized words in the middle of a sentence, sloppy and incorrect punctuation, etc. Either the bad guys in this situation are either not native English speakers, or they were just stupid or lousy students who goofed off in English class.
Either way, we will only have a short period of time until these types finally get their act together and learn how to use that super-sophisticated advanced technology tool known as 'spellcheck.'
Thursday, September 9, 2010
Monday, September 6, 2010
The Social Engineering Attack: Men vs. Women.
As summer fades to a close, and we mentally resign ourselves to getting back into work, I am interested in a recent contest that was just held about social engineering and how men and women fare differently against social engineering attacks.
For those of you who don’t know what social engineering is (it also called ‘pretexting’), think about when you have ever used any degree of charm, persuasion, eyelash batting or a glimpse of excess cleavage to get yourself bumped up to first class in an airplane, get into a crowded event, get out of a speeding ticket or just generally get something that you may not on the surface deserve. That is, you have ‘engineered’ your audience into doing your will. This is what the most skilled and devious thieves do to us – get information from us that helps them do bad things. It is the toughest attack to fend off and against, as our nature is to be helpful and help a brother out.
This recent social engineering contest consisted of calling 135 employees from Fortune 500 companies, including Google, Wal-Mart, Symantec, Cisco Systems, Microsoft, Pepsi, Ford and Coca-Cola to be targeted by social engineering hackers, trying to get the employees to divulge or reveal they information that could be misused by the attackers, such as what operating system, antivirus software, and which browser the companies used. The ’bad guys’ also tried to talk the ‘victims’ into visiting unauthorized web sites. Most of the information compromised in the contest was gotten by the hackers pretending to be insiders who were doing audits or consultants filling out surveys.
But here is the really interesting part: only five of the group of 135 refused to give up any corporate information at all. And all of the five were women.
The team that held the contest was unsure as to why it was only women who failed to reveal any data, but there are some other common traits. Three of the five women who shut down contestants were managers, and female managers are generally the least likely to fall for social engineering attacks. A security consultant who commented on the contest stated that the findings make sense, as female managers are “going to be the least trusting, the most suspicious."
This contest also points out another important factor: when it comes to the social attack, you cannot simply train for a particular attack, like getting a flu shot for a specific strain, for example. You must constantly train on the need for heightened awareness and alertness by your employees. The possible scenarios that bad guys could come up with to get your employees to divulge information is infinite and impossible to thoroughly prepare them for. You have to simply make them aware of the possibility of these kinds of attacks and get them to keep thinking strategically and out of the box. Because the bad guys will as well.
Finally, I thought I would end with this little, possibly relevant nugget: at my company, it is impossible to know everyone by name or face since we have thousands of employees, yet every time and any time I have ever been asked if I have my badge as I am trying to enter the side door on some morning, the questioner has invariably been a woman....
For those of you who don’t know what social engineering is (it also called ‘pretexting’), think about when you have ever used any degree of charm, persuasion, eyelash batting or a glimpse of excess cleavage to get yourself bumped up to first class in an airplane, get into a crowded event, get out of a speeding ticket or just generally get something that you may not on the surface deserve. That is, you have ‘engineered’ your audience into doing your will. This is what the most skilled and devious thieves do to us – get information from us that helps them do bad things. It is the toughest attack to fend off and against, as our nature is to be helpful and help a brother out.
This recent social engineering contest consisted of calling 135 employees from Fortune 500 companies, including Google, Wal-Mart, Symantec, Cisco Systems, Microsoft, Pepsi, Ford and Coca-Cola to be targeted by social engineering hackers, trying to get the employees to divulge or reveal they information that could be misused by the attackers, such as what operating system, antivirus software, and which browser the companies used. The ’bad guys’ also tried to talk the ‘victims’ into visiting unauthorized web sites. Most of the information compromised in the contest was gotten by the hackers pretending to be insiders who were doing audits or consultants filling out surveys.
But here is the really interesting part: only five of the group of 135 refused to give up any corporate information at all. And all of the five were women.
The team that held the contest was unsure as to why it was only women who failed to reveal any data, but there are some other common traits. Three of the five women who shut down contestants were managers, and female managers are generally the least likely to fall for social engineering attacks. A security consultant who commented on the contest stated that the findings make sense, as female managers are “going to be the least trusting, the most suspicious."
This contest also points out another important factor: when it comes to the social attack, you cannot simply train for a particular attack, like getting a flu shot for a specific strain, for example. You must constantly train on the need for heightened awareness and alertness by your employees. The possible scenarios that bad guys could come up with to get your employees to divulge information is infinite and impossible to thoroughly prepare them for. You have to simply make them aware of the possibility of these kinds of attacks and get them to keep thinking strategically and out of the box. Because the bad guys will as well.
Finally, I thought I would end with this little, possibly relevant nugget: at my company, it is impossible to know everyone by name or face since we have thousands of employees, yet every time and any time I have ever been asked if I have my badge as I am trying to enter the side door on some morning, the questioner has invariably been a woman....
Subscribe to:
Posts (Atom)