Security Achilles’ Heel
All the software and audit and compliance in the world is useless, when a single person opens the door for the Big Bad Wolf to waltz in. Yes, code review is important. Absolutely, audit is essential. And without a question, process can save lives. None of that matters if the person entrusted with the key is readily duped by conversation. Social Engineering, it’s a grand-daddy when it comes to security risks. Sadly, technology has yet to come up with the panacea for stupidity. Just look at what happened to CloudFlare.
Someone convinced an AT&T technician to re-route the subscriber’s cell phone to a fraudulent voicemail box. No code hacking, no PBX re-programming. No physical breach of wires. The heavy lifting in this breach involved conversation. The first of four dominoes fell, as seen on this timeline, when un-authorized access was granted, by an employee, to some untrusted outsider. Sure, there are clearly flaws in Google’s 2FA, they’ve admitted that. And CloudFlare’s auto-cc of administrative Email containing sensitive information, that’s just bad practice all around. However, those attack vectors weren’t so handily exploited, without the initial ability to redirect the trusted channel of communication.
There are plenty of technical discussions else where, about code and process and race conditions ad nauseam… but the bottom line is this, the weakest link is “people” and exploiting people’s behavior has been security’s greatest foe since walls were made of stones. More technical solutions won’t fix this. In fact, increased complexity and the ensuing decrease in usefulness, will only create additional opportunities for human error. Awareness, instinctive or trained comprehension, is likely the only way to counter being talked into unlocking the door.