The Problem With Know-it-all Security.

I am not one for quotes and ‘Facebook philosophy’ memes but recently, I was reminded of my favourite quote on a certain social media platform:

“The only true wisdom is in knowing you know nothing.” – Socrates

The pursuit of education can convert a criminal into a solicitor; it can envelop minds and have a plethora of benefits. Dietary education can change the shape of a person, and knowledge of the science that defines our time on earth can culminate with a robot on Mars. There is no debating it, learning is good for us!

But what can it do for security?

With my time assessing social engineering vulnerabilities, the ‘game of knowledge’ crops up time and time again. In almost every scam there is this game – it’s about the only thing consistent between the different formats of social engineering attacks.

A common attack in the wild that is a good example of this, is the telephone hijack. An attacker calls a landline number and explains they are calling from the telephone company and requires payment to avoid the immediate disconnection of the line.

For proof, they offer you the chance to validate their authority and power by asking you to replace the handset and check for yourself. Leaving the call open, when the mark replaces the handset and checks for a dial tone, there is only silence. The phone rings when replaced again and the attackers collects payment details or information in the second half of the call.

The basic knowledge of how a phone works would have avoided this mishap, but is it unpractical to teach 10,000 staff the basics of the plain old telephone service (POTS)?

And if you did – what next? How to validate SSL certificates? Checking the MD5 value of financial spreadsheets? RFID shielding? The list is endless.

At this point, a lot of companies flutter and panic. For the corporate giants, they are concerned about protecting this ‘vessel’ that ensures shareholders receive dividends and employees get wages. I personally am solely motivated by securing the staff and customers of these organisations.

Any worthwhile social engineering assignment will highlight a need for training and education based on the actions of staff but in my experience, the impact in security comes from the higher-ups. These people have to really be brave in their next board meeting and stand up and say, “I don’t know, but I want to learn.”

It’s only by looking at a company’s weaknesses that you can start to strengthen it – with the ever-evolving game of knowledge, you can secure your organisation. Security cultures must be changed and we (as an industry) have to stop thinking we know every last piece of the puzzle. I know I don’t! But I am always willing to learn more.