When The Security Expert Is The Idiot
Here at PKWARE, when we describe the types of adversaries our technology is designed to block, we say “thieves, snoops and idiots.”
The first two are easy to describe. The thief wants to break into enterprise networks and steal sensitive information and the snoop is either out to invade your privacy or is a trusted employee with access to information that, if shared with the outside world, could cause a lot of damage to the enterprise’s reputation.
The idiot is a bit more complex.
Our talking points outline idiots as users and admins who make dangerous mistakes, use weak passwords, visit sites known to house malware, and so on.
It’s a word security practitioners must be careful using for a simple reason: Sometimes, despite all we know and preach about best practices, we do things that put us squarely into the idiot category.
Here’s where I make an example of myself. I’ve told the stories before, but as the new guy at PKWARE digesting the thieves, snoops and idiots slogan, I’m reminded of how easy it is for people to unintentionally cross the line.
One mistake was less than a year ago, and my idiocy was exposed by my 15-year-old son.
Since I work in information security, family expects me to be THE expert. And sometimes I ask for trouble when I try to teach them a lesson -- like grabbing phones and writing on the owner’s Facebook timeline to demonstrate the value of having a security PIN on the phone.
I’ve done that a few times during family get-togethers, grabbing a sister-in-law’s phone and typing into her Facebook account: “My brother-in-law Bill is the best!”
One day my oldest son decided to give me a taste of my own medicine.
He had been watching me punch in my PIN for some time, and when the opportunity arose, he grabbed my phone, correctly entered the PIN and wrote on my Facebook timeline.
“You should be ashamed of yourself,” he gleefully wrote. “You’re Mr. Security in the family, but you let yourself get hacked by someone who can’t even drive a car.”
Score one for the offspring. What he didn’t realize was that in getting past my PIN, he could have accessed parts of my employer’s network.
The other time I played the part of idiot was a couple years ago, when I received a direct message on Twitter from a work colleague -- or, rather, a bad actor who had hijacked my colleague’s Twitter account.
My colleague sat in the next cube over from me at the office. He's a nice, mild-mannered chap, so when I got a tweet in his name, I opened the link without thought. Well, that's actually not true. I did have thoughts based on his tweet: "Hello somebody is saying very bad rumors about you... (URL removed)"
As my phone began to freeze up, I realized I had been suckered by one of the oldest phishing tricks in the playbook -- despite all the user awareness articles I’d written about social engineering over the years.
I was able to purge the malware that was dropped on my phone and since then, when I get a link DM’d to me, I check with the sender first to make sure it’s really them. Lesson learned. But for a good 20 minutes, the bad guys had the ability to access my company’s network.
Since my son exposed me, I’ve made a habit of changing my phone PIN every few weeks.
Being exposed as an idiot isn’t terrible, as long as we learn from the experience.
Unfortunately, a lot of people don’t learn and keep up the idiot behavior. That’s why we’re here.