“Hacking is exploiting security controls either in a technical, physical or a human based element,” – Kevin Mitnick. Well, let me give you another quote “Daaaaaaaaaaaaddy, I am bored!” – my six-year-old daughter, yesterday.
Here is the scene – I am working on a presentation about cyber security flaws in enterprises, trying my best to focus on details and numbers, my wife and son are at a playground and my daughter is here with me, obviously getting bored. I promised her that I will be done in 30 minutes and that I will play with her once I’m finished. “Daaaaaaaaaaaaaaaaddy!” – ugh! The internal struggle, am I being a good father working hard to support the family or am I a bad father for not playing with my daughter? She needs to learn that she can’t get everything the moment she asks for it! Then again, she is a child – she wants to play! “Daaaaaaaaaaad!” – ok, we moved from daddy to dad, now it is serious, just like when my wife’s tone is very different when she says “honey” and when she says “Etay!” I know what’s coming next.
“Okay, take my iPad, play with it for a couple of minutes, and I will wrap up here.” Boom, two cyber security failures combined. Her nagging and pressure (aka social engineering) worked and I just gave the adversary (yes, in this case it is my daughter) physical access to one of my devices. I speak at many events about the failures of enterprises and how it doesn’t matter how many cyber security products they have if at the end of the day a simple phishing email or a social engineering attack via a phone call will allow the attacker a foot in the door. And I just did THAT. In two seconds!
“Daaaaaaaddy! It’s locked!”, well of course it’s locked – I am in the security business, who do you think you are dealing with here child? “Daaaaaaaaaaaaaaaaaaaaaad” – ugh… okay okay, here is the code. “Thank you, daddy.” *kiss* Where did she learn these small manipulations? Okay, never mind back to work. Fail number three – she knows my iPad’s password. She covered two of Mr. Mitnick’s three possible hacking vectors. You only need one, but she is not leaving any bases uncovered. Back to the presentation, need to concentrate.
“Daddy, I am installing my favorite app, I will delete it later but I need your thumb to install it”. Well that came as I was calculating some numbers that have to do with GPUs vs key spaces. Can’t be bothered now, the thumb is in the air and I feel her pressing the iPad to it. It was at that moment that she had “something you know, something you have (sort of) and (now) something you are”. All three authentication factors, and it was all because (drum roll) of human error.
There is a slide I like to present at the end of my sessions where I discuss the story behind the survivorship bias. A short version can be found on Wikipedia, longer (and highly recommended versions) can be found on the web. During World War II, the US military was trying to find ways to raise the survivorship of their bombers. A think tank working on this issue was given the image below – indicating where most bullets hit the bombers. The team recommended reinforcing those areas with extra armor to ensure the bombers can take the hits. It was a statistician by the name of Abraham Wald that pointed out that this is completely wrong. The diagram was created from the bombers that made it back! Meaning, they can take hits to those areas and survive. However, one hit in the engine and the bomber doesn’t come home – that is why you don’t see any red dots on the engines, and is precisely those “dark areas” in the diagram that need to be acknowledged and protected.
Similar to this, in the cyber security field we see companies that invest more and more in the same areas that they are already pretty good at fighting off cyber attacks. Constantly updating your firewall / end point / anti-phishing, etc. is indeed important – but it is those dark areas that you should look into as well. If an employee will fall for a simple social engineering scam – a lot of these security solutions (as important and good as they are in their field) will not help. Look into these dark areas, and if you are unsure what they are – have a hacking team come and rip you apart! You will be glad to have a third-party penetration testing team give you the report rather than having to explain how you got breached to the board of directors (or on national news).
Even the best penetration testing report will not give you a 100 percent guarantee, but there are steps you can take to further enhance your security posture. A few things to consider are cyber security training, preparing an incident response plan that covers what needs to be done and who needs to be notified, as well as training your employees and having the proper security measures (not just something your auditor will give you the check mark for – but rather a tool/procedure that deals with your actual threats). These preparations will give you a head start if and when you will have to deal with a breach.
“Etay!!!!!” – oh no, my wife’s tone! I’m in trouble. Quick check – dishes? Done! Guitars? In place! Hamster? Alive! What is it then? “What is this $31.86 charge from Apple?” I have no idea what she is talking about. A quick check and I find the answer. Looks like I made an in-app purchase yesterday for that amount. What app you ask? ‘Ashlee fun girly girl gymnastic’. I HAVE BEEN HACKED! But it was all my fault – the guy who doesn’t move away from his computer without locking it, who has a complicated approach for having multiple strong passwords, who uses separate computers for different tasks based on the information they require – was hacked by his six-year-old daughter. There is going to be a serious talk at dinner over what is allowed and what is not, but having just been ripped apart by a six-year-old, it is I who will need to review my processes, tools, and procedures.
RELATED: Check out more from Etay Maor at RSA Conference Asia Pacific & Japan 2018 on July 25 for a seminar on White Hats and Cybercriminals’ New Tool: Artificial Intelligence
*Editor’s Note: This blog originally appeared on LinkedIn on June 4, 2018*