Comments on: Creating a Patch for Human Stupidity http://www.gdssecurity.com/l/b/2009/04/08/creating-a-patch-for-human-stupidity/ Gotham Digital Science Security Blog Wed, 01 Sep 2010 06:49:07 +0000 http://wordpress.org/?v=abc hourly 1 By: Tom Brennan http://www.gdssecurity.com/l/b/2009/04/08/creating-a-patch-for-human-stupidity/comment-page-1/#comment-287 Tom Brennan Thu, 14 May 2009 14:21:15 +0000 http://www.gdssecurity.com/l/b/?p=102#comment-287 Security convergence requires a proactive approach - excellent write up. Security convergence requires a proactive approach – excellent write up.

]]> By: Nick http://www.gdssecurity.com/l/b/2009/04/08/creating-a-patch-for-human-stupidity/comment-page-1/#comment-285 Nick Fri, 01 May 2009 01:26:30 +0000 http://www.gdssecurity.com/l/b/?p=102#comment-285 I disagree, I think there's several patches for human stupidity... Firstly, training. While this is only a partial answer it does help; describe the threat, describe the techniques used, encourage employees to think about how they could be attacked, therefore increasing the chance of them spotting such an attack in future. Secondly, process. I'm with Marcus Ranum, in that if a system fails, then the system wasn't designed correctly. If a Social Engineer can persuade a user to reveal information they shouldn't, or to make a change that they shouldn't, then the correct processes aren't in place. If the malicious caller says they've already got authorisation for an account change to be carried out, there should be some kind of token that came with that authorisation, that needs to be passed to the employee who makes that change, before they can take action. "John in Department G says it's ok" shouldn't be good enough. Thirdly, testing. The reason so many Social Engineering attacks succeed is because they are attempted so rarely. If a organisation is sporadically attacked employees will develop a sufficiently strong siege mentality to be aware of possible attacks. Fourthly, reward. Employees should be rewarded for spotting Social Engineering attacks, or through finding gaps in processes where the company could be vulnerable before an attacker finds that issue. That way everyone, in a small but determined way, is considering Social Engineering issues all the time. While Social Engineering is one of the most prevalent problems any InfoSec professional will face I don't think it's the hardest... but I'm not sure what is, maybe that's a good subject for the next blog post? I disagree, I think there’s several patches for human stupidity…

Firstly, training. While this is only a partial answer it does help; describe the threat, describe the techniques used, encourage employees to think about how they could be attacked, therefore increasing the chance of them spotting such an attack in future.

Secondly, process. I’m with Marcus Ranum, in that if a system fails, then the system wasn’t designed correctly. If a Social Engineer can persuade a user to reveal information they shouldn’t, or to make a change that they shouldn’t, then the correct processes aren’t in place. If the malicious caller says they’ve already got authorisation for an account change to be carried out, there should be some kind of token that came with that authorisation, that needs to be passed to the employee who makes that change, before they can take action. “John in Department G says it’s ok” shouldn’t be good enough.

Thirdly, testing. The reason so many Social Engineering attacks succeed is because they are attempted so rarely. If a organisation is sporadically attacked employees will develop a sufficiently strong siege mentality to be aware of possible attacks.

Fourthly, reward. Employees should be rewarded for spotting Social Engineering attacks, or through finding gaps in processes where the company could be vulnerable before an attacker finds that issue. That way everyone, in a small but determined way, is considering Social Engineering issues all the time.

While Social Engineering is one of the most prevalent problems any InfoSec professional will face I don’t think it’s the hardest… but I’m not sure what is, maybe that’s a good subject for the next blog post?

]]> By: Dean http://www.gdssecurity.com/l/b/2009/04/08/creating-a-patch-for-human-stupidity/comment-page-1/#comment-277 Dean Wed, 08 Apr 2009 23:07:45 +0000 http://www.gdssecurity.com/l/b/?p=102#comment-277 I am afraid that there is not a patch for human stupidity. Yes education will help to reduce the number of incidents, but most humans are trusting by nature and therein lies the problem. I have conducted adhoc tests posing as a member of the support staff and asked for a username and password to fix an issue with their pc and 80% of staff were willing to give these details. I wish there was an easy solution, but changing human nature is probably the hardest problem that any infosec professional will encounter. I am afraid that there is not a patch for human stupidity.

Yes education will help to reduce the number of incidents, but most humans are trusting by nature and therein lies the problem.

I have conducted adhoc tests posing as a member of the support staff and asked for a username and password to fix an issue with their pc and 80% of staff were willing to give these details.

I wish there was an easy solution, but changing human nature is probably the hardest problem that any infosec professional will encounter.

]]>