These new techniques extend to other macro trends such as Big Data. Ferguson gave the example of extortion attempts that cross reference compromised and available data sets. He said it would be likely that the US public service breach that saw tens of thousands of civil servant details lost could be cross referenced with the Ashley Madison data set, potentially yielding targets for blackmail or extortion.
Ferguson said that further technological developments were also throwing up entirely new possibilities for attackers. Virtual and augmented reality technologies, he said, present new and unprecedented ways for attackers to disrupt and gain control. He said if a person is represented in a virtual world by an avatar, what happens if an attacker gains control of that avatar? Or, in the case of augmented reality, where a person, through the likes of a head-up display (HUD), experiences the world through the filter of the Internet, how will that alter their perception of reality?
Ferguson gave the example of walking down the street wearing such a device, with it knowing that the user has expressed a preference against a certain type of retail outlet, be it coffee shops, bakeries or pubs. The augmented reality overlay might obscure such physical objects with advertising or other content, effectively ensuring the user never sees them again. But what happens when such systems are skewed, disrupted or hijacked?
Social engineering
Jenny Radcliffe, a social engineer and penetration tester, highlighted the increasing incidence of people being hacked in attacks. Radcliffe said that with those who are interested in and developing the practice of social engineering, “money is almost incidental – they just want to see how far they can push it.”
This worrying trend makes such people unpredictable threat actors, but despite this they are often recruited or co-opted into larger operations by attackers.
Radcliffe said that her personal research in the area covered exploring personality types to determine whether social engineers on the black hat side were sociopaths, psychopaths or somewhere on a spectrum between.
Radcliffe said that from an organisation perspective, its culture has much to do with how its people react to social engineering attempts. Citing Ghandi’s quote that the culture of a nation resides in the hearts and souls of its people, this extends to the fact that an organisation’s security resides in the attitudes of its employees.
Radcliffe warned that it is vital to identify the “disenchanted” in an organisation as these people may, sometimes unwittingly, become the facilitators of social engineering.
Securing the human
Lance Spitzner, research and community director, SANS Securing the Human initiative, described how security awareness training has traditionally failed. He said that security awareness must be communicated on an emotional level, without being rationalised. He said that information security professionals often suffered from what he termed the “curse of knowledge” which means that the more of a domain expert the person is, the less likely they are to be adept at communicating the value of their services to its consumers.
Spitzner also said that security ambassadors from business units, not part of the security teams, could also play a key part in awareness and education, as can simple measures such as mascots and personifications that can appeal to people on an emotional level. Gamification too, with reward points and titles for levels attained appeal to people’s competitive sensibilities and increase engagement.
He also emphasised the need for leadership to lead in security awareness through both example and visibility in support.
TechCentral Reporters
Subscribers 0
Fans 0
Followers 0
Followers