Social Engineering: The dangers of positive thinking

Steve Ragan

"It could be a thousand different spam emails that they have to respond to, but that thousand-and-one could be the HVAC email that took down Target. Those humans, those employees, are going to be the biggest intrusion detection system your company's going to have."

However, unless the employee IDS is tuned properly, it's no different IT slapping a blinking box into a rack and walking away. Unfortunately, while having an un-tuned IDS will help check a box during a security audit, it's not helping the company in the long run. Likewise, awareness training in general can help a company pass an audit, but unless the awareness training is tuned and maintained, it isn't going to help.

On its face, awareness seems like an easily obtained security metric. Something that's simple to implement and manage, but it's not. That feeling of "stranger danger" doesn't exist for most adults. So where did it go? Wshy did society lose the "stranger danger" mentality as adults?

"We're supposed to be safe, because we have security controls. We are so busy thinking that our security controls are flawless, and it's our humans are flawed, that we let it slide that way. The problem is our security controls are flawed just as much as our humans are. You have to take in account that your security systems can be flawed, as well as your humans, and adjust for both of those," Street said.

The security industry, Street explains, has had a mentality for a very long time that "we needed to build walls."

The assumption is that if the walls were built high enough, or thick enough, then that's going to be enough and offer solid security. But level of thinking doesn't hold water, not anymore.

"We need to start understanding that our walls are never going to be high enough or thick enough. We need to start putting lookout towers on those walls. We have to start looking at people looking inside the walls for the breach. We need to start showing, not when the breach happens, but how quickly do we detect when the breach comes -- because it's going to come. So now, instead of trying to build a wall to withstand a breach, build a wall so it can easily detect when a breach occurs. And it's that response that's going to be critical, not trying to prevent a breach altogether."

Previous Page  1  2  3  4