Calling All Social Engineers
A friend of GreyCastle Security stopped by this morning to discuss social engineering and how it can be used to improve audit programs.
This friend is an Auditor for a large state-run entity, and a wannabe pentester (tough to blame him).
Now I know what you’re thinking – why is an Auditor interested in social engineering?
I’m glad you asked.
First, we’ve seen many audits totally miss the mark by not including the people aspects of information security. In their defense, audits are typically based on compliance regulations or organizational policies, which miss the same mark.
But if you were an Auditor, where would you focus?
On the countless firewalls out there that are summarily bypassed by attackers, both expert and newb? Or the hordes of susceptible bank tellers, healthcare executives, students, IT administrators and other personnel targeted each and every day by cybercriminals all over the globe.
The answer is clear. Auditors need to be social engineers.
But that’s not as easy as it sounds. In our conversation today we talked about what makes a good social engineer. And the reality is, the best social engineers are born, not made.
That being said, social engineering skills can be taught and improved, even if your name doesn’t end in “Mitnick”.
So what are these skills?
The ability to improvise is critical. So is the ability to collect and leverage information about assets (people) to your advantage. And last but not least, the ability to maintain cool under pressure, especially when being challenged.
A good social engineer is generally good at getting out of tickets, into the VIP and around the rules. If you panic when trying to get away with a duplicate grocery store coupon, it might not be for you.
So if you’re comfortable impersonating someone you’ve never met, that may not even exist, to gain confidential intel or compromise an asset for the betterment of the greater good – all while smiling – we may be looking for you.
After all, the human side of information security is quite possibly the most important, and most misunderstood, of all.
Next month is National Cyber Security Awareness Month. Stay tuned for a whole month of interesting thoughts, trends and tips for securing human beings.
Tags: Social Engineering
About regharnishCEO of GreyCastle Security
Search All Blog Posts
Recent Blog Posts
- RT @HeatherLandi: .@GreyCastleSec CEO @regharnish on the 3 #cybersecurity basics every healthcare org should do: standards-based HIPAA risk… 7 hours ago
- RT @RajivLeventhal: "Lots of people think paying the ransom is a panacea and business will go back to usual. Nothing can be further from th… 7 hours ago
- CEO Reg Harnish is presenting at the Philadelphia Healthcare Informatics today at 1:15 p.m. until then, stop by our… twitter.com/i/web/status/9… 12 hours ago
- RT @NYSITS: Thank you to our 2018 #NysCyber Conference Kilobyte sponsor @greycastlesec | ow.ly/Nao730k3mlS 1 day ago
- Congrats to some of our employees who completed the @CDPHP Workforce Challenge. Over 10,000 people participated in… twitter.com/i/web/status/9… 3 days ago
- February 2017 (2)
- November 2016 (1)
- June 2016 (1)
- April 2016 (1)
- March 2016 (1)
- April 2013 (1)
- March 2013 (1)
- February 2013 (2)
- December 2012 (1)
- November 2012 (3)
- October 2012 (4)
- September 2012 (3)
- August 2012 (2)
- July 2012 (3)
- June 2012 (1)
- May 2012 (1)
- April 2012 (1)
- March 2012 (4)
- February 2012 (2)
- January 2012 (2)
- December 2011 (5)
- November 2011 (2)
- October 2011 (5)
- September 2011 (5)
- August 2011 (5)
- July 2011 (6)
- June 2011 (4)