Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

Apr 18, 2015

People: can't do with 'em, can't do without 'em

The latest 2015 Verizon Data Breach Investigation Report indicates, once again, that a significant proportion of "data breaches" involve social engineering, perpetrators typically phooling victims into opening infected email attachments or clicking links to infectious or fraudulent websites.  The report also indicates, once again, that security-awareness is necessary to mitigate the social engineering threat. Technical "cybersecurity" (IT security) controls are of limited value precisely because social engineers (and fraudsters and spies) bypass most of them, exploiting vulnerable people instead.
"[T]he common denominator across the top four [incident type] patterns—accounting for nearly 90% of all incidents—is people. Whether it’s goofing up, getting infected, behaving badly, or losing stuff, most incidents fall in the PEBKAC and ID-10T ├╝ber-patterns. At this point, take your index finger, place it on your chest, and repeat “I am the problem,” as long as it takes to believe it."  (page 32)
I can hardly believe we're still banging on about this stuff in 2015 as if it's news. Is there anyone out there who doesn't know this already? Kevin Mitnick's "The Art of Deception" was published 13 years ago and it was far from being the first treatise on social engineering. Likewise with NoticeBored: we've been selling security awareness materials for the same period, and running security awareness campaigns for nigh-on 40 years.

It makes me cringe whenever I see someone making naive statements or posing the most basic of questions about human factors, phishing and other forms of social engineering, including security awareness*. Why is this such a persistent, long-standing issue, a veritable blind-spot for some? Aren't we doing enough to help people realize and understand what's going on, and show them how to defend themselves, their families and their organizations? Or are we expecting too much of people who aren't immersed in the field? While most of us have a clue, there are bound to be laggards, most either ignorant/oblivious or in denial. They are natural targets for social engineering ... including security awareness*.

Regards,

* Yes, security awareness qualifies as social engineering, albeit with benign rather than malicious intent, but nevertheless it is manipulative.