The security professionals who conduct red team exercises to test companies’ incident detection and response capabilities have seen it all. They know what works to get into a company. And it’s basic knowledge among these experts that regular people are the weakest link in cyber security.
That’s why social engineering – the psychological manipulation of people into performing actions or divulging information – is a staple in a red team exercise.
Sure, ethical hackers have to have deep technical chops. But they’re not going to spend weeks building a zero day exploit to break in to your company, if phishing a dozen employees will work in an afternoon.
The things red teamers go after are the same types of things actual criminal hackers will go after, if your company becomes a target. So even though these guys are the good guys and they’re there to help your company, learning a little about how they do their job will help you build up a healthy suspicion that will serve you well when your company really is under attack.
We’ve recorded an audiobook “The Art of Red Teaming” to give you a glimpse into how red teaming is done. To give you a taste of what’s inside, we’ve pulled some tips from it to bring you four ways to roll out the red carpet for red teamers (and black hat hackers).
“Hide” your passwords in simple places.
Think you’re hiding your password by leaving it on a Post-It note under your keyboard, or in the drawer beside your desk? Not quite. These hiding spots are so common, they are the first places red team experts will look to find passwords. You’re better off saving your passwords in a password manager.
Leave your computer open or unlocked when you leave work.
It might sound crazy, but it’s not unheard of for red teamers to find people have done this. Another, very common mistake: Leaving your laptop open and unlocked while you step out for a coffee break or go to the bathroom. These missteps are an open invitation for mischief.
React to your emails emotionally.
Always take a few moments before reacting to that email that says your Dropbox account has been hacked, or you’ve been denied access to that LinkedIn discussion group. Red teamers (and criminals) use phony emails like these to play on your emotion and get you to click on their phishing link. So take a moment to think and observe carefully before you do anything.
It may seem inconsiderate not to hold the door open for the stranger coming in the facility after you, and it may feel odd to question a loiterer on their purpose for being in the building. This basic human trust in others is exactly what red teamers play on to gain access to restricted areas and be in places they wouldn’t normally be “authorized” to be. Building a healthy skepticism about your environment could make a red teamer have to work a little harder, or it could stop a real malicious actor.
For more on red teaming and how it’s done, listen to “The Art of Red Teaming.”
[soundcloud url=”https://api.soundcloud.com/tracks/406986960″ params=”color=#ff2c2e&auto_play=false&hide_related=true&show_comments=true&show_user=true&show_reposts=false&show_teaser=false” width=”100%” height=”166″ iframe=”true” /]
Would you rather read than listen? Download the ebook here.
Leave a comment