When we leave our homes, we make sure to close the windows and lock the doors… When we park our car, we make sure that we hide the GPS in the glove box... When we withdraw money out of the ATM, we make sure that no suspicious looking person is lurking near us… Why do we perform all these actions? Because we anticipate the actions of potential attackers But, does this mindset transfer over to information security? Too often, we fail to think like an attacker when it comes to using our personal and work computers. This lack of foresight can expose our personal lives and our workplace to security risks. But, if we spend more time thinking like an attacker, we can actively decrease the chances of a potential data breach occurring. In today’s blog post, we are going to discuss how to think like an attacker in instances of social engineering attempts, malicious emails, and social networking issues.
Social Engineering
Have you ever found a USB drive on the ground in the parking lot of your office building or apartment complex? Were you curious enough to take it into your home or work office and plug it into your computer? You may have just allowed an attacker access to your computer! Social engineering is the art of manipulating people into performing actions or giving away information. There is usually some attempt by the attacker to deceive the victim by appearing to be innocent, such as using the name of a coworker who the victim has not met in person. Social engineering takes advantage of two innate human traits:
- Most people are not on their “guard” all of the time
- Most people enjoy being helpful to those around them
Malicious Emails
An attacker would rather hide behind a computer than risk meeting a potential victim. Have you ever received an email from a foreign country written by a person who needs your help retrieving money from an international bank account? Or how about an email from a “family member” from out of the country who has had all of their money, passport, and belongings stolen and needs some money sent to them immediately? In these cases, criminals are attempting to steal money from your bank account by leading you to believe they are “in need”. Malicious emails are becoming more difficult to detect as criminals’ skills mature, so it is important for us to think more like an attacker and about how we would attempt to gain access to our own hard earned cash…and then take steps to prevent it.
Social Networking Issues
How often have you seen your friends
- Post their vacation pictures on Facebook while they are still on vacation
- Tweet that they are having an amazing dinner at a restaurant out of town
- Check in to their favorite movie theater on Foursquare
If your friends thought more like an attacker, they would realize that they are actually publicizing that they are not home and what time they intend to return! Our desire to share information with friends, acquaintances, and sometimes even total strangers can be the equivalent to placing a “Please Rob Me” sign on our homes. Security is not just about protecting your credit card or social security information. It’s about not sharing your physical location or whereabouts to potential attackers. You may see your Facebook post as a status update, but the “bad guys” see it as a window of opportunity.
Are You Ready To Think Like An Attacker?
Thinking like an attacker is a skill that may take a little time and effort, but the increased feeling of security is worth it. Sometimes it is just thinking about where we place our trust and making an informed decision about whether that trust is misplaced or not. There is no such thing as being “100% secure”, but we can certainly become more secure if we spend a little more time questioning the assumptions we are making about security and putting ourselves into the shoes of our attackers. I urge you to ask yourself the following questions…
- How would you steal your bank account number?
- How would you trick yourself into divulging your username and password to your email account?
- How would you pretend you were one of your coworkers to gain access to sensitive information at work?
These thoughts could help prepare you to defend against the next criminal that comes our way.
A Few Security Tips to Mitigate the Risk of a Successful Attack:
- Never plug a device of unknown origin into your computer
- Never give any sensitive information to anyone who calls you on the phone without being 100% sure of their identity
- Don’t respond to any emails from your bank, the police, or any government offices. This is not how they do business. Instead, call them yourself with a phone number you have personally looked up.
- Never click on a link in an email or on a website. Instead, type the URL information into your browser.
- Never open email attachments without being 100% sure that you know who sent the email and the source of the attachment. If a friend forwards you an email with an attachment, don’t open it.
- Never post your physical location on any social networking site unless you are at home