I've lost count of the number of penetration tests I've performed over my 16 year security career. I've not lost count, however, of one critical metric:
A 100% successful penetration history when social engineering or client-side attack is permitted
That's right -- 100% success rate. Now some of you are thinking I just stated the obvious and you're right. But I do this to make it painfully clear. The human element, or Layer 8 as I like to call it, is the weakest link. When direct attack against Internet systems fails, then indirect attack using Phishing and malicious attachments is a sure bet. It only takes one user to get us in. Once we're on that user's PC, the soft and chewy center of the internal network is ours to exploit.
I've heard CIOs, Security Managers, and System Administrators all say, "End-users should know better!" Newsflash: If you've not taught them, tested them, reinforced the message frequently, monitored for infractions, and taken corrective action, well... they don't know better.
If you do not have a formal security awareness program, you're one careless click away from an incident. Annual training is entirely inadequate. If I only told my children annually to look both ways before they cross the road, the results would be devastating. It's no different with your employees. You don't need to treat them like children, but you do need to stop assuming they're equipped to make good decisions when faced with danger.
Today's threats aren't as obvious as a car speeding down our neighborhood road. They look more like an ice cream truck driven by a friendly looking man. What could be dangerous about that, right? Stay tuned for more posts on social engineering, client-side attacks, and helping employees develop a healthy dose of suspicion that doesn't create more work or slow them down.
Comments