Social Engineering | Silicon Shecky

We all talk about it. We all know that it is important. We also get frustrated about the lack of it. Security, one of the most important things needed with technology, really is a never ending battle.

The world is a much different place now than in the past. We are all interconnected. Computers, iPhones, Social Media, and much more have taken the world to a place where we live in two worlds simultaneously. We integrate our lives, our status, and our personal information into the digital world. Meanwhile, there are those that look to get a hold of it. Others to shut down the flow, to slow down the information available, or to just plain steal what they can. So what do we do? How do we stay secure?

Any technology company that produces anything, be it software or hardware, does not want their product to be a backdoor for those with malicious intent. Yet, the more simple a device or a piece of software is to use, the more likely there are security holes in it. We all know that, and we all cringe for those who do not patch, or are unwilling to spend the funds to help secure the technology. So if this is all so important, why does it seem that the infosec professionals can’t get through to people about it? The answer is simple, and that is a disconnect.

We as people working the technological side of things are one of the biggest problems. We talk about DDoS, Phishing, Social Engineering, Hacking and still we have to fight the battle on two fronts. One agains the malicious people out there, one against the people we are protecting. You look through the lives of people like Kevin Mitnick and Kevin Poulsen and the books they have written, and wonder how can we stop people from stealing lives, stealing credit cards, using the technology in our hands to do harm to others.

There is the whole patch and write better software approach. You can get the best firewalls, log trackers, and policies if you are lucky to help mitigate it. Make the footprint smaller. So why is it such a struggle for so many businesses and individuals who are not in our line of work to understand that? Its the disconnect.

The disconnect can be likened to a layman reading a law brief or even a EULA. the wording is not in terms or ideas that people normally comprehend. The world of IT is a fantastic world, and communicating with each other on a technical level is fantastic, but that is because we speak the same language. Its just like lawyers can understand all the legalese that they write. Its meant for them, and yet they have to break it down for their clients to an understandable state, at least the ones who care about their clients do.

In the corporate world, larger size businesses seem to have a better understanding. They worry about their products, their secrets and know those have to be protected. The small and medium businesses, not so much. I will recommend hardware, software and policies to help them, and they come back with the same old line, “We are small, no one would want to break into our systems. Most people don’t even know abut us.” That is a disconnect. A disconnect from reality, and a disconnect from what we are trying to tell them. Overall there are a lot more small and medium sized business (and way more individuals) with this thought process than there should be.

Now I’m not a genius, but I can understand that trying to tell one of these clients that it doesn’t matter what size, doesn’t quite fly with them. They need proof. Once one of them is hacked that one all of a sudden will take security more seriously. Not always to the extent that we would like, but it is a start. So how can we get the others to understand. How can we get them to realize security is not an end, but a process?

That is the real job we have to do. Not try to ram technospeak down their throats but find a way to communicate with them in layman’s terms, in a way that they understand. We all know that no matter what nothing technology wise is going to be completely secure. We need them to understand that no matter what nothing is 100% secure, but we can lessen the chances. So here are some terms we use, and think about how you would explain it to a non-tech person. I’d love to hear your responses.

Smaller Attack Vector

Social Engineering

Zombie Machines

Packet Filtering

Just taking some small terms like that, I am sure you can think of other terms that need to have some sort of layman term assigned to them. The more we think like an average person when talking about what is needed to make their technology more secure, the better chance we have of getting it more secure, and the more time we can spend on actually proactively fighting those that wish to be malicious.

We all know Social Engineering is the most commonly used way to spread malware. There seems to be a device that can help with that, as far as e-mails go. Its not a cheap form of protection though.

We all know that Social Engineering is the easiest way to spread malware. As P.T. Barnum said, “There’s a sucker born every minute,” and in the age of the Internet, it is even easier to get to those suckers. Pyramid Schemes, Malware, Phishing Attacks, all heavily rely on the mark being trusting. Anti-Malware, Firewalls, and security devices have always had a problem with this angle of attack.

Now a company called Cyveillance is touting a new appliance to help mitigate the Social Engineering front. Two problems though. First, like all first generation, innovative ideas, the cost is more than most people make in a year. Over $100,000 for the device alone, not including all the scan types, and extra protection licenses added on.

Second, it only scans e-mail. This is nice for those instances where it is e-mail that has a bad link, but a lot of the malware is coming through hijacked ads on websites. This device doesn’t take any of that into account.

More information is available here and here. Overall the idea of a device like this, or algorithms and heuristics that can defend on this front, and be reliable, is where we need to focus our defenses on. Hopefully, someone can go the next step on this. After all, we are only as secure as the weakest link in the chain.