As summer fades to a close, and we mentally resign ourselves to getting back into work, I am interested in a recent contest that was just held about social engineering and how men and women fare differently against social engineering attacks.
For those of you who don’t know what social engineering is (it also called ‘pretexting’), think about when you have ever used any degree of charm, persuasion, eyelash batting or a glimpse of excess cleavage to get yourself bumped up to first class in an airplane, get into a crowded event, get out of a speeding ticket or just generally get something that you may not on the surface deserve. That is, you have ‘engineered’ your audience into doing your will. This is what the most skilled and devious thieves do to us – get information from us that helps them do bad things. It is the toughest attack to fend off and against, as our nature is to be helpful and help a brother out.
This recent social engineering contest consisted of calling 135 employees from Fortune 500 companies, including Google, Wal-Mart, Symantec, Cisco Systems, Microsoft, Pepsi, Ford and Coca-Cola to be targeted by social engineering hackers, trying to get the employees to divulge or reveal they information that could be misused by the attackers, such as what operating system, antivirus software, and which browser the companies used. The ’bad guys’ also tried to talk the ‘victims’ into visiting unauthorized web sites. Most of the information compromised in the contest was gotten by the hackers pretending to be insiders who were doing audits or consultants filling out surveys.
But here is the really interesting part: only five of the group of 135 refused to give up any corporate information at all. And all of the five were women.
The team that held the contest was unsure as to why it was only women who failed to reveal any data, but there are some other common traits. Three of the five women who shut down contestants were managers, and female managers are generally the least likely to fall for social engineering attacks. A security consultant who commented on the contest stated that the findings make sense, as female managers are “going to be the least trusting, the most suspicious."
This contest also points out another important factor: when it comes to the social attack, you cannot simply train for a particular attack, like getting a flu shot for a specific strain, for example. You must constantly train on the need for heightened awareness and alertness by your employees. The possible scenarios that bad guys could come up with to get your employees to divulge information is infinite and impossible to thoroughly prepare them for. You have to simply make them aware of the possibility of these kinds of attacks and get them to keep thinking strategically and out of the box. Because the bad guys will as well.
Finally, I thought I would end with this little, possibly relevant nugget: at my company, it is impossible to know everyone by name or face since we have thousands of employees, yet every time and any time I have ever been asked if I have my badge as I am trying to enter the side door on some morning, the questioner has invariably been a woman....
No comments:
Post a Comment