August 08, 2012
TrustedSec founder interviewed on Slashdot about the Apple hack
Written by
David Kennedy
Leadership
TrustedSec's founder, David Kennedy has been speaking on the dangers revolving around social-engineering (SE) coupled with technological attacks for a number of years. The Social-Engineer Toolkit (SET) was created to bring education to companies around the dangers we face as an industry related to SE. In the most recent attack, Apple was subject to a social-engineering attack that allowed customer support personnel to successfully be social-engineered. To Apple's defense, the attackers had some very specific information about the victim. Still, the technique used can be performed anywhere and the information not hard to obtain. In a recent slashdot interview, David Kennedy talks about the implications of social-engineering and what we face as an industry. Social-engineering continues to be the most challenging threat we face in the security industry. Strictly because of the uncertainty around the human factor. Taking out FUD and scare tactics out of the equation, social-engineering is difficult to stop against a persistent adversary.
There is a debate in the industry right now on what to do when it comes to social-engineering. Some argue if user awareness is even worth the investment. I personally believe heavily in education and awareness to users. A foundational aspect around security is bringing education to people that may not know certain things to look for or react to. As humans, we are typically easily persuaded, especially in social-engineering situations. Teaching our user population that it is OK to say "Sorry I need some more information." or "This doesn't seem right, I need to go." Things that we cringe to say on the phone or in person, but things that are absolutely acceptable in uncomfortable situations. At the very least, bringing security education to the users will give you a better chance at detecting these types of attacks and others.
Putting appropriate processes and technology in place to make it difficult for an attacker is an ideal situation. Simple techniques such as not allowing users to have administrative level rights, or restricting egress (outbound) connections can completely save a company from a breach. In Apple's situation, the fault was more in a simple security process for proving the validity of a person. How many times have we been asked for the last four of our social? Or our dog's name? Last four of our credit card number (the one that happens to be saved everywhere)? The process itself allowed the successful social-engineering attack. That specific process had probably not been reviewed in years. Coupling social-engineering attacks with technology is here to stay.
Are you working on protecting your employees?
From the Slashdot interview:
“When I perform penetration tests, it will take me a week maybe to break into an organization. That’s a lot of time and effort,” David Kennedy, founder and principal security consultant of TrustedSec, wrote in an email. “Social engineering? Maybe a day to two days of research and simply picking up the phone and remaining calm.”
For consumer services such as Apple and Google, a massive organizational framework can prove a detriment when it comes to blocking social-engineering attacks. “In order to service that volume they have to have a large turnover on customer support lines and continuously training new people over and over,” Kennedy wrote. “There will continue to be lapses. If you attempt a social-engineer attack and it’s not successful, hanging up and calling back may be successful.”
Indeed, there’s a multitude of ways in which a skilled social engineer can manipulate perception and reality in order to penetrate a system. “The problem with social engineering is the creativity of the attacker and the ability to think on the fly in a situation,” Kennedy added. “It’s really dependent on the amount of (pardon the language) balls the person has to push the person on the other end.”
For more information on the article visit Slashdot: http://slashdot.org/topic/cloud/wired-writer-hack-shows-need-for-tighter-cloud-security/
Special thanks to Nick Kolakowski for reaching out to me for the interview.
There is a debate in the industry right now on what to do when it comes to social-engineering. Some argue if user awareness is even worth the investment. I personally believe heavily in education and awareness to users. A foundational aspect around security is bringing education to people that may not know certain things to look for or react to. As humans, we are typically easily persuaded, especially in social-engineering situations. Teaching our user population that it is OK to say "Sorry I need some more information." or "This doesn't seem right, I need to go." Things that we cringe to say on the phone or in person, but things that are absolutely acceptable in uncomfortable situations. At the very least, bringing security education to the users will give you a better chance at detecting these types of attacks and others.
Putting appropriate processes and technology in place to make it difficult for an attacker is an ideal situation. Simple techniques such as not allowing users to have administrative level rights, or restricting egress (outbound) connections can completely save a company from a breach. In Apple's situation, the fault was more in a simple security process for proving the validity of a person. How many times have we been asked for the last four of our social? Or our dog's name? Last four of our credit card number (the one that happens to be saved everywhere)? The process itself allowed the successful social-engineering attack. That specific process had probably not been reviewed in years. Coupling social-engineering attacks with technology is here to stay.
Are you working on protecting your employees?
From the Slashdot interview:
“When I perform penetration tests, it will take me a week maybe to break into an organization. That’s a lot of time and effort,” David Kennedy, founder and principal security consultant of TrustedSec, wrote in an email. “Social engineering? Maybe a day to two days of research and simply picking up the phone and remaining calm.”
For consumer services such as Apple and Google, a massive organizational framework can prove a detriment when it comes to blocking social-engineering attacks. “In order to service that volume they have to have a large turnover on customer support lines and continuously training new people over and over,” Kennedy wrote. “There will continue to be lapses. If you attempt a social-engineer attack and it’s not successful, hanging up and calling back may be successful.”
Indeed, there’s a multitude of ways in which a skilled social engineer can manipulate perception and reality in order to penetrate a system. “The problem with social engineering is the creativity of the attacker and the ability to think on the fly in a situation,” Kennedy added. “It’s really dependent on the amount of (pardon the language) balls the person has to push the person on the other end.”
For more information on the article visit Slashdot: http://slashdot.org/topic/cloud/wired-writer-hack-shows-need-for-tighter-cloud-security/
Special thanks to Nick Kolakowski for reaching out to me for the interview.