Hacking The Human

Posted on Tuesday 12th February 2019
What I have learnt over the last few months is that there is most certainly job security in computer security. Recently, I have spent a lot of my time looking into business security and checking for any vulnerability concerning IT threats.

I have found that quite often it is the human behind the screen that poses more of a threat then inadequate computer security, let me explain.

Many local companies I have spoken with have identified their company’s highest cyber risks; they have done the research and know about the attacks that pose a threat to their data. However, very few identified, or do anything to protect, their most vulnerable area – their staff.

Depending on the company and staff member, access to data varies from limited access to open access. With this in mind why would a hacker attempt to penetrate a site from an external source when all they have to do is target the weak links that can do all the hard work for them? It’s easier, quicker and frequently offers a more positive result.

Dressing in a high visibility jacket asking where the server room is holding a fake badge, or waiting outside a company door holding a large box with both arms outstretched will undoubtedly result in someone opening the door with a smile. The thing is people are too nice. They feel guilty when questioning others and attackers take advantage of this weakness. So why do we not train our staff to be more aware of these threats?

Staff awareness to security can be measured in many ways. A simple approach is to send a fake phishing email to all staff in the organisation with a link attached. This link records how many members of staff click the baited link which could potentially cause damage. Another option is a more in-depth staged test. One company went as far as to place USB sticks around their company car park to see how many members of staff would pick them up and plug them into their work computers in an effort to establish ownership. These innocent acts, conducted in good faith could potentially leave the company network vulnerable to a whole host of executable malware. It could theoretically take any business, big or small, offline and without an up-to-date disaster policy in place, could feasibly wipe them out completely.

Training staff is an easy solution to potentially catastrophic consequences of relaxed security. However, fraudsters are becoming more creative and calculated.

One of the newest terms on the information security block is social engineering.

Social engineering is a more complex fraud scheme then the traditional ‘con artist’. It refers to the psychological manipulation of people for the purpose of information gathering, accessing systems or conducting fraud of any kind.

Fraudsters manipulate and trick staff into trusting them with their personal data. They gain the confidence of the staff member and through conversation obtain personal details that could be used as variations of their passwords. Their kids and pets names, their first car, where they were born or even their mother’s maiden names, can all be obtained through social engineering and used as ‘a way in’.

It is not all doom and gloom however. The best defence is knowledge. Now you know about the potential risks to your company, training can be created to educate staff and protect your business.

I know this is not a quick win, but it is a step in the right direction. If it makes one person in an organisation think about whether to open an attachment or not then the awareness training has been effective.

Please get in touch if you would like free and impartial cyber security advice by emailing CyberCrimePrevention@dorset.pnn.police.uk.