The recent iCloud hack of Jennifer Lawrence and other celebrities exposed just how much trouble can be caused by inadequate security measures.
Apple confirmed that the hacker gained access to the celebrities’ iCloud storage areas by correctly guessing the answers to security questions. Undoubtedly, private individuals sat up and took note, but there’s a chilling lesson to be learnt for business owners too.
Social engineering 101
Social engineering, or the art of getting ordinary individuals - employees included - to give up useful personal details and sensitive security information, is what presents the risk to businesses.
It is human nature to tell the truth when asked questions by people who are perceived to be in a position of authority, and it is this same inclination that applies to password security questions – individuals answer them accurately. There is also a tendency for individuals to use the same passwords and security answers in the workplace as they do in their private lives.
This combination of habits is what hackers aim to exploit: if they can find out the likely answers to security questions, they can hijack an employee’s email account and gain access to a business network.
The trouble for celebrities is, because so many of their detailed personal facts are liberally sprinkled across the public domain, these answers are easy to guess. Unlike with celebrities, hackers have to actively find out facts about the particular individual or employee they want to target. Too hard? Wrong! Too easy…
Admittedly, you can’t read about Ms Smith from Accounts in Rolling Stone, OK! or Vanity Fair, but what if Ms Smith is on LinkedIn, Facebook, Twitter, Pinterest, or any other number of social media or third party sites? Granted, no one’s shouting, “Read all about it!” from the street corner, but they may as well be.
In order to learn more about an individual or employee, hackers do their homework by digging around on social media sites. Armed with personal information - often simple details like a pet’s name, spouse’s name, date of birth – they have paved the way for an easier break-in. And the unwitting individual has helped them.
Tell me lies, tell me sweet little lies
Business owners should increase awareness about the concept of social engineering and share with employees the full extent of what assets could be stripped as a result of a security breach: passwords, customer information, corporate plans and strategies, or data pointing to a financial source. After all, it is in their collective interest that the company they work for isn’t compromised.
There is a simple but effective way to reduce the threat posed by social engineering: employees can protect both themselves and, consequently, their employers, by changing their natural instinct to tell the truth when answering security questions.
The fact is, no one is actually verifying that an answer is true, just that there is an answer, and that it’s the same one each time the question is asked.
This simple fact means that, by telling a white lie, or even a supersize one, users can add extra strength to a potentially weak security measure. No system can check that a first pet really was called Spot - it’s just as happy with HotDiggidyDog. And mother’s maiden name? Why, it’s R2D2N0ne0fY0urBu5ine55, of course…
The downside to disguising the truth, as any experienced dissembler will tell you, is having to keep track of the web of lies: it’s much easier being honest. In this case, as the deception is so clearly worth the effort, using a password manager is an ideal way to store passwords and security answers - you only have to remember one pass phrase.
The celebrity photo hack was a classic case of social engineering and is directly relevant to business owners. Fleetwood Mac’s immortal line, “Tell me lies, tell me sweet little lies”, encapsulates an unusual workaround, which is why you won’t hear any hackers humming it…