Digital business people

Of security, people and psychopaths

Blogs
Image: StockXpert

20 November 2015

Paul HearnsHaving attended a few information security events in recent months I am struck by how far up the agenda the human elements have come.

In the not so distant past, or indeed practice, it was all about point solutions, perimeters and preventatives. Then the gradual, grudging acceptance of cloud services, mobility and remote working saw a thaw in attitudes that opened up security to be less about the perimeter and more about the data. Now, there is an increasing realisation that if the highest value individuals are going to be given hugely powerful devices to work anywhere, any time, on core business data, then they need protecting as much as any other element in that chain.

This has meant everything from security awareness training to user consultation on mobility strategies and even user-led initiatives to open up data sources.

“Social engineers will prey on people’s empathy and unwillingness to comply can be overcome through appealing to people’s innate desire to help others”

It is all a far cry from the default IT position not so long ago of ‘no’ when faced with such challenges.

The always excellent IRISSCon this year featured yet another stellar line up of experts that were not only informative and educational but genuinely thought provoking too. This year, the highlight for me was the focus on the human elements in the form of an exploration of the dark psychology of social engineering by the slightly scary Jenny Radcliffe.

Now, I mean scary in a very nice way in that her work probes not only an organisation’s susceptibility to social engineering as part of a hack attack, it also explores the minds of black hat social engineers themselves to see where they might fall on the sociopathic/psychopathic spectrum.

Such exploration’s make Radcliffe not only worth heeding, but her inimitable presentation style makes her utterly engaging. She describes how up to a certain point both the sociopathic and the psychopathic social engineer share traits, such as disregard for rules and laws, lack of guilt or remorse and a tendency toward violent outbursts. However, where they diverge is that the psychopath is charming and disarming, though utterly lacking in empathy. They can be organised and meticulous, and appear very normal until faced with opposition or adversity.

But on the other side, Radcliffe, who has spent some time performing social engineering herself in the manner of a penetration tester for the human aspects of infosec, said that social engineering techniques rely on identifying weaknesses and exploiting them. Social engineers will prey on people’s empathy and unwillingness to comply can be overcome through appealing to people’s innate desire to help others.

She said that the social engineer will look to find areas of identification with the target to establish a sense of co-identity so that the target will want to help. Echoing the likes of Kevin Mitnick, the social engineer will often pretend to be a co-worker of the target in some distant part of the company with a problem for which they elicit help, but which ultimately facilitates a later hack.

Radcliffe now works to help educate people and organisations to raise awareness of such techniques, as they are being used increasingly in the likes of CEO fraud — a phenomenon which was also detailed at IRISSCon.

The point though, was succinctly put by Lance Spitzner of Securing the Human, when he showed a very linear graph rising at a steady 45 degrees plotting the implementation of security controls in the Windows OS family over time. However, when the development of human security was put on the same axes, it was flat as it ran to the horizon.

The overall message was that with the help of domain experts like Spitzner and Radcliffe, it is now possible for organisations to secure the human and ensure that they are engaged and invested sufficiently to prevent them from becoming the unwitting facilitators of your next security nightmare.

 

Read More:


Back to Top ↑

TechCentral.ie