I was speaking with an industry insider a few weeks ago and he started asking questions about supply-chain security. We kicked off a rather awkward discussion whereby I dipped into my SCM educational background and he tried to convey his actual meaning which was much closer to informational supply chains, or better yet, the flow of trusted information. This lead to a great hour of discussion about an attack vector that I call, Exploiting Human Trust and Complacency.
I’ve blogged about social engineering and the new perimeter (Sally in Accounting) in the past, and this expands upon that very notion. How do attackers take advantage of this attack surface, and how are they so successful?
Before we delve into that, let’s take a moment to explore what this Human Trust thing is.
Mouthing off, by db*photography
In this increasingly electronic society, we are bombarded by content from people or companies we do not know both in our personal and professional lives. Ironically, it seems that the technology designed to make us more efficient across many miles of land forces us to cultivate deep, personal relationships in-person with those with which we truly want to interact. We first must build some level of human trust with someone in order to give them mind share.
Some people give it up faster than others. If you are young or new in the business, eager to make contacts, you may be willing to trust someone after just a phone call or an email volley. A seasoned, or high-demand professional may need two or three in-person meetings to solidify the trust. Once you have it though, it typically sticks around unless you do something boneheaded to lose it. We’re complacent about continuously validating that trust. So if you build a relationship with someone in a way that you earn their trust, just routine contact (not always in person) will keep that trust going enough to allow someone to exploit it.
The strange thing is that trust seems to binary for us. Either we do, or we don’t. That’s where the danger can really rear its head. Let’s say, for example, that you have a partner you are working with and have exchanged many emails, phone calls, and in person meetings with them on a certain topic. If their machine or network is compromised by a sophisticated attacker, it could easily affect YOUR security and network. Sure, that email looks as normal as any other ones from that person, but is it a breach waiting to happen?
Living in a world of paranoia isn’t fun, therefore we need a combination of good tools and good processes not to enable this complacent trust, but to take the variable (the human) out of the picture. We must take decision capabilities away from humans and default to a “quarantine/destroy first, ask questions later” type of attitude. It’s inconvenient, but it might just save your day.
Possibly Related Posts:
- Ten Things Companies Get Wrong About CIAM
- Protect Yourself and Freeze Your Credit
- Selective Domain Filtering with Postfix and a SPAM Filtering Service
- Preventing Account Takeover, Enable MFA!
- Proofpoint Patches URL Sandbox Bypass Bug