RSA 2017 – day 2: Attacking yourself

Want to find holes in your security perimeter? What better way than to attempt to attack yourself, and here at RSA there are plenty of tools to help you with that. Want to fake an insider attack? There are tools for that. Want to try a fake phishing attack? They have that too.

They say it takes a thief to catch a thief. If would-be thieves went to work at tech startups instead of living a life of crime, they might come up with some of these tools.

“Organizations that try to game themselves tend to be much stronger for it.”

It may be non-obvious to outsiders, but organizations that try to game themselves tend to be much stronger for it. Here’s how it works.

First, get your IT staff onboard. The last thing you want is to run a test scam and get yourself fired in real life. Then define the rules of engagement.Some organizations feel it makes sense to look at every digital piece in the puzzle, while others begin with a smaller test, perhaps by simulating an outsider attack coming across the Internet toward your defenses. Whether you choose to start simple or take a more complete approach, the point is that you start someplace.

A simple way (without hiring a team of specialists) is to use some of the tools showcased here to test and see if your folks will fall for convincing email scams. Typically, organizations will be fooled by phishing at least 20% of the time on average. That means if you have 100 staff members, there’s a good chance of someone falling for it.

At that point you can use some widely available tools to help users identify what is a phishing email and what’s legit.

Next, run a vulnerability assessment, or penetration test. If you don’t have the skills to do that with your own staff, there are some automated tools to help with that as well. If that seems like too much, hiring a penetration testing group isn’t a bad idea (although it can be expensive). Again, you’ll have to define the rules of engagement, like whether or not they can access your internal networks.

Wireless networks are a way of life now in the enterprise, but there are tools that can be used to keep track of your wireless access points’ overall security, as well as whether or not rogue Wi-Fi access points have popped up around your premises unbeknownst to you.

With wireless technology improvements, an attacker can gain access across an office Wi-Fi connection and pry their way into deeper parts of the network than you’d like, and then exfiltrate over commonly available cell network technology. Using wireless security tools, you’ll have a much easier time withstanding this type of attack unscathed.

If you start with these simple methods, you can build a more comprehensive self-test suite over time.”

If you start with these simple methods, you can build a more comprehensive self-test suite over time, but you have to start somewhere. With the tools that are now more widely available, and much easier to use, it might be time to start seeing whether you’d successfully get in if you attacked yourself, which is a much more comfortable situation than waiting for someone else to do it first.

Author , ESET

Follow us

Copyright © 2018 ESET, All Rights Reserved.