Author - Sivakumar RR
You would probably wondering why i started with that quote.. Well, there is reason for that. In the era we are living right now, where everything is moving to a digital representation of entities, “Security” is a hot keyword to deal with.“Amateurs hack systems, professionals hack people.”
– Bruce Schneier (American cryptographer, computer security professional)
Let’s take a look at the real world scenario, both White Hats & Black Hats (don’t get so grim with these terminologies, it’s just fancy annotations for “Good Guys” & “Bad Guys” respectively in the security domain) have access to the same set of tools and applications. Then what’s the difference? Answer to that is, “Perspective”. The way an attacker look at his / her target or how well a defender understand his / her application and user behavior is all that matters most. As more as they know, they can secure or breach the same based on which side of the game they are taking part with.
We have come a long way from a defensive point of view, people who tries to secure the system are now well aware about the known vulnerabilities and the mitigations for the same. So we built security applications and services which can offer more security on our applications and infrastructure. The more we identify the loop holes, the more we secured it from attacks. So performing an attack is not just a piece of cake now, they have to deal with all these layers which protects their target. Which makes them to find the weak spots rather than struggling with time and effort consuming techniques to break these layers.
Which then leads all the attention to the “human” part in the puzzle. How we can hack a human being? you probably thinking like that. It’s not about controlling a person, it’s about tricking a person to give me an information which can help me break into the secured target. Its called Social Engineering, where i as a hacker uses the information gathered about you from your social media profiles or your communication channels and use it to get through you.
Imagine a scenario where someone calls you and claim himself as a newly joined IT person requesting you to reset your password by clicking the link which he sent to you, he is rushing you to do this as an emergency. He might be mentioning your boss name and/or some other team mate’s names (which he might have got it through your LinkedIn account) to sound the call as a genuine one. What if you fall for this, he will get your attention and he will be able to make you to do this. Which will end up compromising your credentials by clicking a malicious link. This is called Vishing attack, it’s a form of voice fraud using social engineering where he get to convince you that he is from IT and made you perform the action he wanted you to do.
There are many form of attacks which targeting the human errors, like Phishing attack, Tail gating etc. Employers run their campaigns to make the employee to get educated about these things and not to fall for it in a periodic manner. But most of these cases they are using the fear factor to make the people aware. If you do ‘a’ then it will lead to ‘b’, or if you follow ‘c’ then it will make you lose your data and so on. All these campaigns will be ending with strict steps to follow or actions to perform before or after each process etc.
But what is the right thing to do? Should we use the fear campaigns and make the people to follow the steps and make them more predictive? Or should we enlighten them with the idea of security and why it is important so they can build a security mindset instead. Let’s give them tips on what they can do instead what they should do, which will help a user to identify the difference between what he /she planned to do and what is supposed to be done.
Take the responsibility of your privacy and security. Following published standards and processes will help you for some time but not for the longer run. Remember, “give a man a fish and you feed him for a day; teach a man to fish and you feed him for a lifetime”.
Take the responsibility of your privacy and security. Following published standards and processes will help you for some time but not for the longer run. Remember, “give a man a fish and you feed him for a day; teach a man to fish and you feed him for a lifetime”.
Comments
Post a Comment