In the past, most hackers have relied on technological vulnerabilities to access and manipulate data illegally, but they are now beginning to play on social vulnerabilities to do just the same. The name of this newly popular practise is ‘social engineering’ – this is just a shorter way of saying ‘tricking people into disclosing confidential information, into bypassing security measures and into revealing passwords.’ It is difficult to train your employees about social engineering tactics, because while you can take your employees through mandatory security training with regards to sensitive data, you will never know how effective the training is until it is too late.
Laura Bell, founder of New Zealand security consultancy SafeStack, had this realisation two years ago. She realised that it was important to identify those at the highest risk of falling victim to social engineering attacks, rather than giving all employees the same training. After identifying these people, employers can then modify their security training programmes in order to put specific focus on the areas in which they are weakest. As there was no such way of identifying weaker employees at the time of her realisation, Bell set to create AVA, a free human vulnerability scanning device. This could be a saviour for employers, but not everyone reacted to the security tool with such positive feedback – some even suggesting that Bell should go to prison for her development!
An Example of Social Engineering
Here is a hypothetical example of social engineering in action shows the importance of AVA: a junior help-desk technician in a large company is worried about the security of their job and is constantly looking to please their superiors. One night, they receive a message from ‘David’ demanding that his password is reset immediately. Knowing that David has a lot of power within the company (and hoping that helping him out could help them in the long run) the junior technician overlooks the fact that password resets should never be handled in this way. Despite security training, the technician is so intent on pleasing David that they reset the password without delay. One catch. It wasn’t David that sent the message; it was a hacker and the hacker now has access to all of David’s accounts.
Cyber criminals know what they’re doing, and will use websites like LinkedIn to find out who the influential people within a company are, and they will use this information to play on the vulnerabilities of more junior employees. AVA can prevent these problems by creating custom phishing campaigns in order to find out what each employee would do when put in such a situation and provide further training to those who act incorrectly, before the real thing occurs.
That said, some are wary of AVA because in rare circumstances it can be used by the very attackers that it is meant to stop. Bell doesn’t deny this, but suggests that AVA is only different to other vulnerability detectors because it deals with people, rather than machines. With machines there is no empathy.
People have also stated worries about AVA’s ability to monitor employees’ information in their private life. However, Bell suggests that the lines between private life and work life are becoming increasingly blurred, and that the two are now inextricably linked. She does not intend for AVA to trick people or to invade their private lives, but rather to increase awareness of the ubiquitous risk of cyber criminals, especially amongst those who face the highest risk..
Bell posits that attackers aren’t likely waste their time using AVA because it isn’t yet fully developed, but she is prepared for the further abuse the programme will get and has developed an ethics and privacy board. As with every computer software programme, she understands that there will be people that misuse it, and is committed to creating a team to help to work against this threat.
So far, the positive feedback far outweighs the negative, and government organisations have shown interest in AVA. Bell will not give up on her development, a valuable weapon in the fight against social engineering.