Welcome to 2015!
A few years ago I was working a part-time job as an IT guy and I was talking to the boss about how well our users were trained. Keep in mind we worked in a mental health agency, so our users were counselors, Ph.D.’s, and social workers. Some pretty smart people, very adept at smelling a scam because our clients were occasionally some very crafty folks. I was given permission to try sending phishing emails to a few staff members as a test of their response.
The results knocked my boss’s jaw to the floor. At 3:27 p.m. I sent this email from an email address that I had created that was obviously not the IT director. In one hour, I had seven out of thirteen passwords.
This was a simple—and I would even call it crude—attempt at something called social engineering. Social engineering is all about taking human nature and using it against us. Increasingly today, it’s so effective that many cyber attacks are effectively using social engineering to one degree or another.
What Might Have Happened
With the password and email address in hand, I could have easily accessed any of these accounts. And so could an attacker. From there, an attacker would have found a treasure trove of information: names, titles, the address book, and that email from IT about three months ago telling everyone their email passwords had been reset to, “password123.” (And we all know someone who just left it and never changed their password—don’t we?)
And that’s just for starters. Your antivirus won’t stop this kind of attack.
What this demonstrates is that cyber security and hacking is not strictly a highly technical science that only a few gifted geeks understand. Technology has profoundly affected and infected our lives, and this has drastically reduced the technical skills necessary to pull off a stunning hack.
Not Just an IT Problem Anymore
Once a month we read a headline about the largest data breach in history. This is not usually because of a technology problem. Our society has embraced technology and the technology works remarkably well. What’s repeatedly been demonstrated is that this is a societal problem, a people problem. What’s being displayed is the fact that we have failed to educate ourselves on how to use this new technology, and how to secure it. Overall, we have become complacent and just expect things to work. And when they don’t, or when something goes wrong, we pass it off as, “The IT guy’s problem.”
The time is now that we start becoming digital sheepdogs—all of us. Which is why we must realize that wolves, sheep and sheepdogs exist in the cyber domain. We can no longer look to the IT guys to fix our problems. We must stop being digital sheep and surrendering our cybersecurity with excuses like, “This is too technical!”
That’s a lie, and cybersecurity is now a part of our job.
Since the Lulzsec attacks against law enforcement four years ago, cyber attacks against law enforcement have grown incredibly. Any kind of activist activity is also being followed up with a cyber attack, either against individual officers or entire departments. And there’s always the opportunistic hacker looking for a weak or vulnerable website or individual.
Many agencies have already had to learn this the hard way. When will yours?
Our profession has a saying: complacency kills. This is just as true in the cyber domain as it is at midnight when making a traffic stop. And if you don’t start improving your cyber practices, you will be the next open door for the bad guys.
Over the next several months my goal is to bring you practical tips that will help you safeguard yourselves, your agencies, and your community with practical steps you can take right now. The important thing to realize is that it’s time for our mindset to change towards cybersecurity and cyber in general. It’s time we start owning this domain and learning how to operate here.
Sheepdogs, welcome to 2015.