Bugs in the Human Hardware

Who amongst us has not done something so incredibly dumb that we didn’t wish we could just go back in time and change just that one event? The Exxon Valdez oil spill comes to mind, with 20 million gallons of oil dumped into Alaska’s Prince William Sound. The drunk, sleeping captain, Joe Hazelwood, could have used a time machine. One poor personal choice and he gets to be the primary player in what is considered to be one of the most devastating human-caused environmental disasters of all time.

Cybersecurity, while not as emotionally charged as the Alaskan oil spill, is now littered with the devastating effects of individuals who have unthinkingly cost their companies, the country, and countless unknowing consumers billions of dollars in stolen money and unproductive effort. Company reputations have been lost and stolen military secrets may have cost American lives. If only we had a time machine.

The ultimate blame for security attacks and the damage caused is, of course, at the feet of the malicious hackers and activists, who have initiated and orchestrated these attacks. But, by all accounts, the majority of successful security attacks are a direct result of benign, well-educated company staffers who did something stupid or forgot to do something easy.

The term social engineering is used to describe the act (maybe art is a better word) of enticing people to bypass computer security by performing actions or divulging confidential information. Clever cyber criminals somehow convince naïve users to provide an inroad into a company’s protected systems. Just as frustrating (to companies) are individuals who unknowingly (or sometimes sloppily) open or leave holes in a company’s security defenses. In all cases, and by every measure, the largest security danger to a company or organization is the staff that works within the organization.

Why should a hacker bother to spend endless amounts of time and energy to hack into a computer system when he or she can easily convince someone to hand over the keys to the castle?

Social Engineering Ploys

Social engineering takes many forms. A few of the more entertaining (dumber) ones are:

• Baiting – A few fake CD’s or Flash Drives with provocative titles such as 2013 WDD Salary Information may be randomly left at a targeted company. When the CD or Flash Drive is inserted into a curious employee’s PC, the self-starting application on the device takes over the PC and invades the targeted company’s network.
• Quid pro quo, meaning something for something – A malicious hacker will make random calls into a large company indicating they are responding to a tech support call until they find someone who really has a technical support issue. The company employee will often gladly give out access information and passwords in an attempt to get the technical issue resolved.
• Phishing – Malicious hackers will send legitimate looking emails to people in an attempt to make those people believe the request for information or action is real. As an example, Condé Nast recently deposited $8 million into a fake account because the hacker convinced a Condé Nast employee that the request was warranted – the fake account name was very close to the name of the actual vendor.
• Human Greed – In a 2003 information security survey, 90 percent of office workers gave researchers what they claimed was their password as an answer to a survey question in exchange for a cheap pen. Similar surveys in later years obtained similar results using chocolates and other cheap lures.
• Poor Password Policies – Recent studies of password usage found two remarkable trends. First, for ease of remembering one’s password, people will use the same login name and password across many accounts. For example, people would use the same login name and password for their bank accounts as they would for Facebook. It only takes one breach to access all accounts. Second, people will use easy-to-remember passwords such as 12345, abc123 or iloveyou. These will be easily cracked in even the simplest brute force attacks.

One inadvertent click or conversation often erases millions of dollars of hardware and software security protections. Computer security is almost never at the top of anyone’s mind. While the down side of a security breach is sometimes devastating to a company, the average person does not perceive a personal risk and the malicious hackers are usually very smooth.

Humans are, by all accounts, imperfect. Yet we drive potentially deadly cars and trucks every day with very few fatal accidents. We seldom make mistakes when handling money, and infrequently forget to wear socks to work. What makes an otherwise intelligent race click on a link when we know it could be a trap? What makes us ignore obvious security holes when we see them right before our eyes? My father probably would have said it’s from watching too much TV – that probably isn’t the answer, but it’s the best I have right now.