I'm currently taking three classes in my last semester of a cybersecurity degree, and one of them is Human Aspects of Cybersecurity. I did not expect this at all, but I'm kind of having a blast. Essentially, it's social engineering. What's that, you ask? Manipulation. How are people manipulated to give up information?
It's actually terrifyingly easy. People are so conditioned to be friendly. And apparently, being friendly means opening up your entire life story. Some are worse than others. I have met people that in less than ten minutes, I know how many ex-husbands they have, their neighbor's horse's names, and that they spend large amounts of money on antique furniture.
I can't do much with this information, nor do I want to. But I think about certain friends I know that can't resist a good Facebook quiz. In fact, one that I'm thinking of, I know that she's Capricorn born on January 5th, her favorite color is purple, she's divorced but in a new relationship since then, and where she's eaten in the last week. I can use this. How many security questions ask your favorite color? How many verifications want your date of birth? I can start predicting patterns based on where she regularly eats. I can get into other things based on the name of her new relationship. This is all info in various Facebook quizzes and profile. It's even discarding a lot of other random things I could learn simply by "relating" to her. Drop a mention about Supernatural or Harry Potter and I can find out a lot.
And this isn't just her. It's shocking the amount of stuff people put out there for everyone to read. The Internet has a long memory, and when someone is posting upwards of 10 posts or more a day, it takes some time to sift through, but they've given you an entire picture of who they are.
Off of Facebook, it's not much harder. You just have to do more work for it. I know that my next door neighbors have two adult children- one of whom has twins. They live in Michigan. That probably irritates dad because of a long standing football rivalry. The guy worked at a dishwasher repair place before retiring and has had heart issues. The woman works as a hostess at a local Italian restaurant. Her sister also worked there and has served Chrissie Hynde. She likes to run, her mom has dementia, and their dog was named Jake and he liked to sleep under the tree in my yard.
How do I know all of this? I listen. People talk. You're probably thinking, "yeah, but it's a friend and your next door neighbor. Not everyone does this." Sure they do. I've had conversations with complete strangers and they told me they're fixing up their house so they can sell within the next six months. Cool. If I was evil-inclined, I'd wait for your house to go up for sale, break in, and if caught, I know the name of the owner. She introduced herself to me.
What does this have to do with cybersecurity? Everything. According to the Verizon Data Breach Incident Report, 30% of attacks involved an insider (https://enterprise.verizon.com/resources/reports/dbir/2020/introduction/). Now, this doesn't necessarily mean that a person in a company intentionally attacked their own company 30% of the time. It does mean they bear responsibility for it. Lousy password security, not locking your computer, etc. all make it very easy for an attacker to get in. Not shocked yet? In 2003, 90% of office workers at London's Waterloo station gave away their computer password in exchange for a cheap pen (https://www.theregister.com/2003/04/18/office_workers_give_away_passwords/). People are ridiculously lax with their information and security of that information.
So where am I going with all of this? Well, be smarter than that. Not just the computer password in exchange for a pen, but stop doing the Facebook quizzes to find out your spirit unicorn name. Be bold. Make up your own spirit unicorn name! While you don't necessarily have to stop chatting with the neighbors, be circumspect about who you reveal information to.
No comments:
Post a Comment