Last week, no one on Facebook was hacked by Jayden K Smith and that bothers me. I’ve spent the better part of my adult life trying to get people to pay attention to computer security. Seeing a warning of a security risk — social engineering in this case — go viral was heartening. People were trying to help each other and spread the message. The problem was that soon after the warning spread, another viral message followed. The Jayden K Smith warning was revealed as a hoax.
So, it was a relief, right? It was safe to get on with our summer adventures. In a way yes, it was a relief. We should all be glad that it was not a widespread cyberattack. Yet on a deeper level, I’m just as alarmed that the warning was dismissed as a hoax. Surely, it was technically inaccurate. You can’t automatically be hacked just by accepting a friend request. However, accepting friend requests from strangers is a bad idea. Just because you can’t automatically be hacked doesn’t mean that accepting such a request doesn’t carry risks. Those risks were treated as afterthoughts in many of the articles that debunked the Jayden K Smith story. Some people will misunderstand that the risk was related solely to Jayden K Smith – whoever he is. Calling it a hoax based on the story’s technical merits alone does no one a good service. Now, I’m afraid that people will ignore the next warning, or the one after it, which could have devastating consequences.
The separation between our private digital lives and business networks is less distinct than ever. We check personal accounts at work and we work from home. We bring our own devices to work and we bring work devices home. At the same time, attackers are growing more sophisticated. They are developing tools and techniques as broadly powerful as WannaCry and as pinpoint specific as spear phishing campaigns. Firewalls, antivirus software, and complex passwords thwart some threats, but they are no longer sufficient to protect us from careful, practiced, and patient hackers who tirelessly sift the sands of the Internet for the most vulnerable targets.
Consider this for a moment. You built a high wall (proverbially speaking) around your business network. You invested in expensive hardware and software to protect your computers systems and data. Your company is successful and profitable. Your staff works long, hard hours and you reward them by being a little lenient. You let them check personal email and social media at work. How well protected are those private accounts? Who is lurking in background waiting to send a carefully crafted link in an email or on social media? It might look safe, but clicking it could allow some version of a real-life Jayden K Smith to enter. Your company built a high wall, but you left a window open in the back.
Social engineering is successful because it exploits trust rather than technical flaws. The more you know about someone, the easier it is to find ways to trick them. Think of fake social media connections as a form of reconnaissance – one way to sift the sands of the Internet to find a target. Attackers profile their victims and carefully craft messages that will bait them to click where they should not. They can’t automatically hack you by connecting, but they might eventually find a way to fool you into letting them in. The high walls we build around our business networks only obstruct our views of the evolving threat landscape. Multi-layered strategies are truly the best defense and one layer of that strategy must be education.
People are always the weakest link in our security defenses. Just to be clear, my message is not to shut down access to personal email and social media in the workplace or to reverse BYOD policies. Training your staff will help them understand which behaviors are risky and which are safe. You need to expect that some people will make mistakes even if they’ve been trained. So, training needs to be regular and coupled with enforceable policies for devices that connect to your network. If personal and third-party devices don’t meet your security standards, don’t let them connect. The device itself may be compromised even if the user is trustworthy.
Seeing my Facebook feed light up with warnings about Jayden K Smith was a good thing. Even though the risk was exaggerated, calling it a hoax only teaches people to let their defenses down. The real problem with the Jayden K Smith warning was not that it was technically inaccurate, but that it was far too specific. If a general message went viral today warning people not to accept friend requests from strangers or duplicate friend requests from people they already know, that would be helpful. Treating links and attachments with a healthy dose of skepticism and using some common sense about strangers and imposters will go a long way to making each of us more secure on the Internet.
For more information about social engineering, please read this publication from SANS.
Wikipedia has a good article and phishing.
To learn more about developing a multi-layered defense strategy, please visit our security page.
July 12, 2017