Last 2 years we have seen so many vulnerabilities affecting big organizations that come from software issues to even bugs with SSL protocol. Despite that, the human factor continues being the main security problem.

Why would you force a system to get something if you can just get it by using the front door?

When we talk about hackers breaking systems to get confidential data, people normally think they found a vulnerability in a system. That vulnerability allowed them to get inside, by using advanced techniques or coding skills.

The reality is that most of the cases happen as a result of “social engineering”. By taking advantage of people to obtain the access they require to obtain the information and without the use of technology.

We need to start by differentiating the hackers. Hacker is not the same as a vandal but there are vandal hackers. Normally, these people are individuals with no interest in technology but use their computers merely as a tool to aid others and steal, money, goods, service or valuable information.

What is deception? And how is it used?

Deception can be defined as an interaction between two parties, a deceiver and a target, in which the deceiver successfully causes the target to accept as true a specific incorrect version of reality, with the intent of causing the target to act in a way that benefits the deceiver. Because conflicts of interest are almost inevitable whenever humans interact, many deceptions are commonly encountered in everyday life.

Attacks generally exploit flaws in software, and once flaws are found, they get fixed, and the corresponding attacks no longer work. If an employee is deceived and grants access to the system, no update will be able to remove the access, unless you change the credentials, so It’s always a good idea to force and renew the credentials periodically.

Any communications channel can convey false information and thus be used for deception

Miller & Stiff, 1993

Deception in organizations

Organizations need to consider security seriously. The standard security measures reduce the risk of being a victim. If your organization doesn’t follow security best practices, there are more possibilities to be attacked.

If you want to keep your organization secure, you need to consider all the elements in your organization: people, network, devices connected to the local network, software application  and website(s).

The website is normally the first target. It is the most important asset for many businesses and it’s also the face to the external people. It’s the place where businesses build a reputation, and where in so many cases an Intranet is built with confidential information. A malicious competitor could try to steal information, take the site down or just use it as a channel to get into the network. Depending on how secure is your website, a malicious script could be uploaded and install malware on server and get control of the server or even the organization infrastructure.

On the other hand, people can be approached by email, by phone call or even in person, and people could just provide what they need without even noticing.

Knowing that, we need to focus the security and follow security best practices in 2 areas:

Technological security considerations

• Keep organizations updated.
• Install updated Anti-virus software for machines.
• Keep organizations updated.
• Implement strict authentication policies.
• Grant access to organization files and infrastructure through VPN only.

Security with people

• Education about basic security is key.
• Make key processes dependent on multiple people.
• Implement 2-factor authentication.

What’s the greatest threat to the security of a business? A social engineer. A magician who has watching you his left hand while his right hand is stealing your secrets.

Kevin D. Mitnick, 2002

A malicious person doesn’t need to have advanced knowledge of networks to get access to your computer. The attacker just needs to figure out a way to deceive a trusted user into revealing information or trick to provide access. No technology in the world can protect a business if a trusted employee is deceived, manipulated, influenced to reveal sensitive information. Here is where It comes to the importance of the education. Employees need to be trained!

Some of the key topics an employee should know are:

• Phishing: employees need to understand It exists and It’s very easy to confuse an authentic website with a fake one. It’s important they know how to recognize a fake email or website: URLs, certificates, between others.
• Safe Internet habits: websites from unknown sources may put the employee’s information at risk. Cookies can be easily stealth or Malware could be introduced to the machine.
• Don’t download files or software from untrusted sources: For saving some money you could be installing a door to hackers. Always install applications from the original source!
• Not everything is about computers! Validate your calls and even people you are talking. For big organizations, It can happen that someone is pretending to be someone you don’t know and get valuable information from you with information that was collected from some basic research.

We could continue with an endless list of examples because human creativity doesn’t have an end. Deception is an art. Technology makes easier to work and to communicate, but in the end, security is just a matter of people. People who didn’t follow best practices or people deceived with a combination of technology and psychology. Go ahead and check your security habits, It’s never too late.