Following last weeks blog, reviewing Kevin Mitnick's Ghost in the Wires, I thought it would be entertaining to suck all the fun out of one of my favorite topics, hacking/social engineering. So here goes...
So the questions this book/blog percolated in You as a good security-minded professional:
1. Is my X (computer, office, network) safe from a Kevin Mitnick?
Likely, the answer is No. Not 1990’s Kevin. And definitely not 2018 Kevin with his sub-western government combination of human engineering skills, technical know-how, and a multi-million-dollar security business. The most vulnerable part of any system is the human responsible for running it and Kevin continues to prove that he is peerless in getting people to compromise their systems for him. Luckily, you and I haven’t made enemies with $100+K to pay Kevin and his team to ruin our year…well at least I haven’t….
2. Are my people good enough to recognize when they are being social engineered?
Being that social engineering is used in 66% of all cyber-attacks, and 67% of targets are willing to give up their and their co-workers personally identifiable information (PII), there is a good chance that as a industry we can do better. And the key difference in study after study is the combination of regular security training AND testing. Do you remember what you ate for lunch last Tuesday? I know I don’t. But if I quizzed you weekly on your lunch habits, do you think your memory might drastically improve? Yes, you are correct Sir! So, chance are your employees don’t remember the security training you required them to take 6 months ago. But if you send them regular phishing emails, and reinforce your policies following a click on an illicit link, statistics show that your vulnerability to these attacks plummets 1200%!
3. Where do I start with social engineering my staff?
- Determine what you most need to protect to ensure your business operations
- Determine who/what has access to the items from step 1
- Craft a phishing campaign, use something that this audience would normally receive via email, or would be excited to see. (I’m a fun of both SET [Open Source], or LUCY [paid])
- Maintain statistics on who compromises your systems
- Send something from this campaign every month, especially to leadership
- Ensure you require remedial training for repeat offenders
- Watch your vulnerability to the most popular attack vector plummet