More on the Tech-Management awareness gap…

I was reading an article from Dan Dieterle on InfoSecIsland last night about wardriving that had some great (and recent) stats on it that were collected first hand by the author, not cited from somewhere else.  I like those.  Anyway, I do both executive (in person) training and teach via CBT for our enterprise customers’ non-tech employees on Cyber safety and security, and I can say with absolute certainty that one snippet of this article highlights the huge blind spot in this discussion. Dan says:

“I was actually shocked at the high percentage of unsecure Wi-Fi systems. With the dangers of Wi-Fi so well-known, it just doesn’t make sense.”

Sure, it’s well known among us – that is, the kind of people who read articles on InfoSecIsland.com. It’s NOT well known among all the people who use and set up WiFi networks, which now include my mom, my grandmother and my 12 year old neice, or people who are (we nerds need to keep this in mind) perfectly competent professionals, they’re just not in our field.

As inconceivable as it is to we digerati, Dan’s topic is as foreign as the inner workings of a Honda’s engine is to most Honda owners. I actually used a wardriving map in a presentation I gave at CeBIT (where people generally are among the more digitally-savvy.)

Courtesy of https://i2.wp.com/www.home-network-help.com/images/wardriving-map.jpg

Courtesy of home-network-help.com/images/wardriving-map.jpg

The looks of bewilderment that such a sport even exists far outweighed the nodding heads familiar with the stats I showed (which roughly mirror those in Dan’s article.)

I’ve found again and again that this gulf has serious implications for enterprise and information security. Employees think that Cyber security and InfoSec is something that resides with the geeks in the basement.

The problem is that, as systems become more and more hardened, the ever-increasing trend is toward the path of least resistance, the employees themselves. I’m not a hardcore programmer, I know relatively little about hacking systems. I know a lot about hacking people.  It is this gulf between what the tech-savvy opponent or social engineering expert knows and the networked employee doesn’t that open major enterprises to all kinds of threats they’ve never thought of. (A couple of my favorite examples.)

http://www.theregister.co.uk/2010/01/25/oil_companies_attacked/

http://www.nowpublic.com/world/fake-facebook-profile-scotiabank-ceo-sparks-investigation

Is hijacking of unused social media space, or researching an executive online really that hard?  Not at all.  And as McAfee discussed in the aftermath of the Aurora attack on Google and others, traditional IT security offer no aid to social engineering attacks.  The real “vulnerability” here is not one of code but one of awareness.

Disclaimer: The views expressed on this blog are mine alone, and do not represent the views, policies or positions of Cyveillance, Inc. or its parent, QinetiQ-North America.  I speak here only for myself and no postings made on this blog should be interpreted as communications by, for or on behalf of, Cyveillance (though I may occasionally plug the extremely cool work we do and the fascinating, if occasionally frightening, research we openly publish.)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: