“There is no patch for humans.”
– Christopher Hadnagy
In August of 2000 a game show named the Weakest Link debuted on BBC. It went on to inspire similar programs in dozens of countries. One of the key concepts involved participants voting to eliminate the contestant who was the weakest player. The unfortunate person was called in by the host with the memorable phrase, “You are the weakest link,” a modern reference to the old bromide about the weakest link in the chain.
In the world of cybersecurity, there is a technique called social engineering which aims to find the weakest link in a company’s defense. The basic premise is that it’s easier to exploit weaknesses in people than technology, although, as we’ve seen, both are eminently doable. Social engineering commonly is referred to as hacking humans–relying on human propensity to trust other people.
How easy is it to compromise security through social engineering? Allow me to introduce you to The Social Engineering Capture the Flag contest, an event created by Christopher J. Hadnagy in 2009 to demonstrate how social engineering poses a threat to corporate security. The contest place at Defcon, an unusual security conference that attracts good guys, including representatives from virtually every federal law enforcement agency, not so good guys, and likely, bad guys there to learn what can used to expand their arsenal.
Here’s the way the capture the flag contest works: Each contestant team gets a Fortune 500 company as its target, and is given a list of sensitive information that they are to discover during a live phone call. Each piece of information is a flag, hence the name.
Reporting on the contest, Patrick Howell O’Neill discussed a successful attempt to penetrate Home Depot, writing that the hackers:
” … quickly eked out important technical details about how Home Depot’s computer systems work, as well as loads of other security information—when employees go on break, if keys or cards are used to open locked doors, and how often people get paid—that leave Home Depot vulnerable to a wide range of attacks in both cyberspace and the real world. For 10 minutes, they sweet-talked Sharon and used her as a lever to learn more about Home Depot’s security, or in this case, the lack thereof.
The Schmoozers, a team who hadn’t even met prior to competing, were polite but forceful. They never asked if it was OK to take up Sharon’s time, but just did it, projecting an air of authority that carried them very far, very fast.
Sharon gave up a slew of information: the exact computer models Home Depot used, the software run on them, and the fact that the computers have virtually no malware protection.”
The attack demonstrated the validity of Hadnagy’s belief that social engineering is the single biggest threat corporations face. Dealing with that reality requires continuing education and dedication to creating awareness and sensitivity throughout the workforce. For more information about social engineering and methods to combat it, read here and here.
By Tom Davis, SDI Cyber Risk Practice
SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.
You can view previous blog posts on cyber risk management here.
August 4, 2015