Ethical Hacking: Going Undercover to Train Employees
March 28, 2013
Businesses have been training their employees to be more aware of potential cyberattacks. However, here’s the twist: the employees don’t always know they are being trained. So-called “ethical hackers” have been hired to lure employees with different tactics such as fake emails promising work bonuses and pictures of adorable cats with links or software that teaches workers how to avoid online dangers.
Another technique involves “in-person breaches.” Ryan Jones, for example, who works for Trustwave Holdings, Inc., is hired to sneak into different establishments in order to test the security concerning sensitive systems. Jones will disguise himself and blend in with the other workers to avoid suspicion. He also plants CDs and flash drives in various locations in an around the companies. Each planted item has a hacking program that takes pictures of the employees who take the bait.
“It starts off as curiosity,” Jones says. “It is kind of the same reason people watch reality TV: They want to see what else is going on in people’s lives.”
This is not a new concept, as several companies have uses this method over the years. The Wall Street Journal reports about an attack that was used on a great amount of employees, and the success of “ethical hacking.”
“Back in 2005, New York state twice sent 10,000 employees and contractors a ‘phishing,’ or deceptive, email urging them to divulge passwords on a linked website,” notes the article. “The first time, 15 percent fell for it, but the second time, only 8 percent did, says Will Pelgrin, who ran the test as the state’s chief information-security officer at the time and is now chief executive of the Center for Internet Security in East Greenbush, N.Y.”
However, there are downsides to these fake cyberattacks. There is the chance that employees may forward the email to a friend or family member, which can lead to the phishing becoming uncontrollable. There was an incident in 2010 where the Air Force had sent out a fake email about opportunities to work on “Transformers 3.” Soon the email was posted on fan sites accessible to the general public.
While some are encouraging the idea, others think that the method is not going to help companies defend against cyberattacks and hacking.
“We should be designing systems that won’t let users choose lousy passwords and don’t care what links a user clicks on,” Bruce Schneier, chief security technology officer of UK telecommunications operator BT Group PLC, wrote in a blog post.
Still, companies have seen their employees become more aware of their work surroundings, as was the case recently with People First Credit Union in Pennsylvania.
“They accosted a pizza delivery guy the other day,” said VP Susan Phillips, after her employees were tested through a phishing email and personal security breach. “They over-reacted… But I’m not going to say any of that is bad.”
No Comments Yet
You can be the first to comment!
Leave a comment
You must be logged in to post a comment.