• Paul Newton

The Weakest Link.

This blog is about the video that went out yesterday (22/01/2020) which was all about how people can be the weakest link in security.

There are few examples of how you can give away your own password and PINumbers by complete accident. You can have them stolen off of you by someone like me who uses a variety of tricks, mind reading skills and basic skulduggery to get them off of you. The same is true with anything that you do at work. So, your username and your password can even be given out by accident or they can be stolen by someone like me.

But what about if you’re a business owner? Then the fact is that you need every member of your staff to be as good as they can be regarding security.

Actually at work it’s even harder to stay safe because fraudsters and scammers happily target businesses with the knowledge that we do not have our defences up the whole time.

I’ll give you an example that somebody told me couple weeks ago this was brilliant.

The social engineer scammer called up Company X at 4:55pm on a Friday evening because they knew the person or the employee would normally be more concerned about getting themselves home than about security issues. The Scammer then used a normal set of tactics to try and get password off of the employee. This can range from anything like hey it’s Paul from head office I’m trying to work on your system I can’t get into it I know the start of the password but I need the last six digits etc etc

Now this employee was very good and wouldn’t give up any details at al. She stopped the social engineer completely and wouldn’t give out anything that could help them further their cause. Well done to her!

The following Monday the employee gets a call from her head office explaining that she had passed the test she had stopped the social engineer who had been employed by her company to test security. Head Office then asked if it would be okay to do a piece about her in the company newsletter. This would obviously be distributed to everyone in the whole company they would send somebody down for a nice photo opportunity and she would probably get some flowers and a basket of goodies out of it.

Then followed a 20 to 30 minute interview all about this girl what she does her home life where she grew up what her family life is like what are pets name is loads of stuff that could be used for an interview. The real problem here is that this still wasn’t head office this was just another one of the social engineers using this as a way to get personal information out of this employee. In the end the stuff they got from her was the place she was born, her first name, last, and middle names, date of birth, her mother’s maiden name, and her family life from then the first pet she ever had and the road that she grew up on!!!

So, they basically took everything from her that they would need to hack any of HER online accounts this includes her work email.

Once they had a work email they could reset all the other passwords that she has associated to that account!!!

And they got all that because this girl believed a more than believable story.

This example shows you how social engineering can be used to fool one of the best employees who wants to keep you secure!

Now imagine, if you will, if you had an ex-employees that could still get into all of your work network but they were disgruntled for some reason maybe they’ve been sacked maybe that been fired under a cloud and now they want to get a bit of payback against you.

So please remember your people can be your best line of defence or your weakest link in the chain against security!

Stay safe.

Paulie x