Social-Engineer Newsletter Vol 07 – Issue 95

 

Vol 07 Issue 95
August 2017

In This Issue

  • Lessons from Disasters to Improve Security
  • Social-Engineer News
  • Upcoming classes

As a member of the newsletter you have the option to OPT-IN for special offers. You can click here to do that.


Check out the schedule of upcoming training on Social-Engineer.com

5-9 February, 2018 – Advanced Practical Social Engineering – Orlando, FL

If you want to ensure your spot on the list register now – Classes are filling up fast and early!


The SEVillage at DEF CON 25 would not have been possible without it’s amazing sponsors!

SECTF Sponsors

SECTF4Kids and SECTF4Teens Sponsors


Do you like FREE Stuff?

How about the first chapter of ALL OF Chris Hadnagy’s Best Selling Books

If you do, you can register to get the first chapter completely free just go over to http://www.social-engineer.com to download now!


To contribute your ideas or writing send an email to contribute@social-engineer.org


If you want to listen to our past podcasts hit up our Podcasts Page and download the latest episodes.


Our good friends at CSI Tech just put their RAM ANALYSIS COURSE ONLINE – FINALLY.

The course is designed for Hi-Tech Crime Units and other digital investigators who want to leverage RAM to acquire evidence or intelligence which may be difficult or even impossible to acquire from disk. The course does not focus on the complex structures and technology behind how RAM works but rather how an investigator can extract what they need for an investigation quickly and simply.

Interested in this course? Enter the code SEORG and get an amazing 15% off!
http://www.csitech.co.uk/training/online-ram-analysis-for-investigators/


The team at Social-Engineer, LLC proud uses:


A Special Thanks to:

The EFF for supporting freedom of speech

Keep Up With Us

Friend on Facebook Facebook
Follow on Twitter Twitter

Lessons from Disasters to Improve Security

In my fantasy life, I’m Ruby Rose from John Wick: Chapter 2, Gina Carano from Haywire, with possibly some Michelle Yeoh from Crouching Tiger, Hidden Dragon thrown in. In real life when bad things happen, I’m actually Bambi’s mom. But I don’t feel bad because apparently, it’s part of the human condition.

The problem with being human…

Most of you have probably heard of the fight-or-flight response, in which we react to highly stressful situations through either putting up a struggle or fleeing the scene. More recently, behavioral scientists have updated this theory to include a third option, which is to freeze. As discussed in this great BBC Future article on how we react to disasters, stressful situations result in a dump of neurohormones which basically shuts down the area of the brain responsible for good decision-making and impedes our ability to respond appropriately (and then we die).

This relationship is also consistent with the Yerkes-Dodson principle, which describes an inverse curve correlation between stress and human response as outlined in the figure below. If people are too overloaded due to stressful circumstances, they are simply unable to perform in an optimal fashion.

In addition to physiological response, we are wired to make information processing as simple as possible. In familiar situations, we go into an “autopilot” mode that allows us to move through the world efficiently – Tversky and Kahneman called this the use of heuristics, or mental shortcuts. As things unravel in stressful situations, deciding on the appropriate course of action takes us longer as we’re taking in and processing more pieces of unfamiliar information.

We’ve all read the inspiring stories of people who think quickly under emergency conditions, saving lives and property. What we’re coming to discover now is that these heroes are actually a very small percentage of the population. These people have the ability to stay calm and make good decisions, have had a lot of training and preparation, or both.

I can hear you all now; “Okay Michele, this is all very interesting, but how is this relevant to my security program?”.

I promise this is going somewhere.

Bad guys take advantage

Malicious attackers don’t need a degree in psychology to know what works. Do a quick search online and you’ll find countless stories of social engineering attacks that start with the attacker creating a situation that places stress on the target then asking for a response in a very limited timeframe. Whether it’s an email that states “Your info has been found on Ashley Madison” to a phone call from a furious “boss” asking why an invoice hasn’t been paid, the professional attacker knows that if a target’s stress levels are elevated enough, there’s a very good chance they won’t make a good decision.

Now you understand WHY your population may make seemingly unwise choices in the face of unlikely requests, and it’s not because they’re stupid. The “why” matters because ultimately, how you feel about your population will affect how you treat them and choose to handle incidents. This in turn will impact your efficacy as an information security professional. I wrote about the importance of good relationships in producing top-notch security programs in a past newsletter.

The Takeaway

So how do we get past our natural inclinations? Here’s what I want you to walk away with, and it’s no secret. You need to prepare your population by training and testing. But it needs to be focused and relevant, not just anything that checks the blocks. Interestingly, the author of the BBC Future article frames the solution the same way. According to the expert he cited, “You have to practise and practise until the survival technique is the dominant behaviour,”. Basically, train and test your population in the appropriate context until the desired response is acquired and becomes automatic. And even when you feel like it is, do it again.

That last point is important because making good security decisions, in my opinion, is a degradable skill. Just like playing chess or shooting on the range, it’s not something you learn and master in perpetuity. It’s an ongoing endeavor that needs to be practiced and modified to adjust to current threats.

I hope you think about these factors as you plan your information security program:

  • Understand that your folks are responding to requests in very human and typical ways.
  • Give them the information and tools they need to identify suspicious requests and an easy way to alert your security team.
  • Train and educate regularly, and be consistent about what’s expected.

As a security professional, you can’t prepare for every possible scenario, but with thought and preparation, you can go a long ways towards hardening your folks against human-based attacks. Don’t be a deer in the headlights!

Written By: Michele Fincher


 

 

Leave A Reply