Security maturity is an interesting thing, and something I am often discussing with those I work with as well as those at various companies in a wide range of industry sectors. Specifically I am mostly interested in the maturity of the security testing strategy in place, either the actual or perceived. I am a firm believer that no single form of security check / assessment holds the answers, it’s like a puzzle the various different levels of assessments forms a picture and the level of detail and clarity in its understanding comes from both the information gained and the maturity of those in the organisation to interpret and act on it accordingly.
A poor example would be saying that your company had a Red Team assessment (considered by many to be the high end of the maturity spectrum in real world security assessments), this probably cost a good chunk of change, but you got that big red stamp in the book so your happy campers and feeling chuffed about your security testing model. However you spent the report out pushing back on the findings and challenging why they pointed out they still need to patch MS08-064 or that using the credentials found in the passwords.txt file on the personal assistants machine is cheating 🙂 The point I am trying to make is any assessment is worthless if you don’t take on board the security and risk learnings that come out of it, and also spending a fortune on testing isn’t smart when you don’t do any of the basics as it’s just an expensive way to learn you fundamentally suck. So in my mind your security assessment model should be progressive, one form of testing isn’t a substitute for another, they are complimentary and should build upon that maturity model to give you that tried, tested and validated picture of your security posture.
So now I got that off my chest 🙂 onto what I really wanted to mention in this blog post, and that’s companies not utilising social engineering in their security testing strategy. You might be reading this and saying “we do, we have regular security awareness / phishing campaigns”, if this is you that’s great and something you should be doing, but many of these awareness campaigns do just this, make people aware, and can spot the corporate phish, it doesn’t tend to make them healthy paranoid of everything that enters the inbox. Also Social Engineering isn’t “phishing”, that’s just one of the tactics that may be employed by the social engineer. Many companies don’t feel mature enough yet, and that’s a good appreciation to have, but you have to start somewhere. Other companies say they don’t have any social engineering as part of any of the assessments as they know it would be successful. This one drives me crazy, over 90% over cyber based attacks in recent years had some for of social engineering as a key trigger point so of course it’s likely to be successful, but that’s not a reason to not do it and miss valuable learnings about the technology you implemented, the processes I place and how you respond. It’s like saying I won’t bother learning something, because I know the next go I have at it I will fail anyway. Our social behaviours are born out of centuries of cultural, environmental and historical experiences, it’s not something that can just be changed overnight, but it is something worth including in your security assessment approach. For starters it will provide you with some metrics (all companies love metrics), also tell employees it something you do, this will take some getting used to but with understanding comes some healthy paranoia. Also a good social engineering component is going to tell you more than just can my people open a phishing email and get compromised. It’s also going to help you understand your social leakage, what information employees are sharing online, both company related and perhaps personal that makes them more of a target. Also with the right objectives / goals you can learn about more than just your electronic controls, but also the physical and observational controls.
So I encourage all of you who are either responsible for security assessments / assurance in your organisation to have social engineering components in your testing requirements all with good clear goals. If you are someone who provides security assessment services, put some solid effort into providing a good social engineering capability, and encourage your customers of the value and demonstrate it to them.
Sorry for the long post, but thanks for reading through.