Author: June Middleton, JuMiddleton@jackhenry.com
Retailers, hospitals, government agencies, and details of their data breach woes continue to appear in news and social media headlines, and the pace of the data breach announcements appears to be speeding up, instead of slowing down. Organizations continue to spend thousands (if not tens of thousands of dollars) on technical security controls (firewalls, intrusion detection/prevention systems, anti-virus/anti-malware programs, encryption, access management, virtual private networks, etc.) to create strong security controls using a defense in depth strategy. In Computerworld’s Annual Forecast survey of 194 Information Technology (IT) executives, 43% of them expected their IT budgets to increase in 20151. Due to the recent high-profile security breaches at a myriad of companies, security spending propelled to the top of their IT priority list for 2015. If organizations have continued to increase IT security spending, then why are the bad guys still getting in? If only I had a dollar for every time I have heard or read ‘the human is the weakest link in IT security’ over the past 12 months.
Human weaknesses are exposed by Social Engineering, which is defined by Wikipedia as the psychological manipulation of people into performing actions or divulging confidential information.2 Social Engineers (aka con men or human hackers), have been around since the beginning of mankind (e.g., the Serpent convincing Eve to eat the fruit from the tree in the middle of the Garden of Eden in Biblical times). Today’s malicious social engineers primarily fall into three categories:
- Opportunists with little preparation and little to no budget (a scammer who sends out a customized blanket phishing email);
- Well-funded attackers with lots of preparation (corporate espionage, organized crime, politically motivated attacks); and
- Trusted Insiders (former NSA employee Edward Snowden).3
Chris Hadnagy, CEO of Social-Engineer, Inc., in his 2015 book titled Phishing in Dark Waters, mentions that “Analysis of almost all major hacking attacks from the past 12 months reveals that a large majority involved social engineering – a phishing email, a spear phish, or a malicious phone call (vishing).” 4 These are just a few of the many attack vectors social engineers use against organization employees, and other individuals or companies those employees know, to gain their foothold into organizations and steal sensitive/confidential information. If the human truly is the weakest link in information technology (IT) today, then why are organizations not spending more of their IT budgets, both time and money, on mitigating the human weakness? While common sense tells us that no organization is 100% protected from the persistent malicious social engineer, it would seem reasonable that organizations must add an additional layer of defense that addresses mitigating the human risk to their IT system security. A one-size social engineering defense strategy does not fit all, and strengthening this layer of human defense should be three-fold:
- Performing periodic social engineering assessments (SEAS) by external professional social engineering penetration testers;
- Creating policies and procedures that are tailored to mitigate the organization’s unique social engineering vulnerabilities, as revealed from the periodic SEAS; and
- Conducting ongoing social engineering security education and awareness training, with a focus on the lessons learned from the SEAS.5
What is your organization doing today to strengthen its greatest weakness and protect its most valuable assets?
1Collett, S. (2014, November 3). 2015 Forecast: IT spending on an upswing. Retrieved from: http://www.computerworld.com/article/2840907/forecast-2015-it-spending-on-an-upswing.html
2Social Engineering. In Wikipedia. Retrieved on November 20, 2015, from https://en.wikipedia.org/wiki/Social_engineering_(security)
3Conheady, S. (2014). Social Engineering in IT Security. New York, NY: McGraw-Hill Education.
4Hadnagy, C. & Fincher, M. (2015). Phishing in Dark Waters. Indianapolis, IN: John Wiley & Sons, Inc.
5Conheady, S. (2014). Social Engineering in IT Security. New York, NY: McGraw-Hill Education.