Feelings Have No Place in the World of Security

By Tony Perez | December 29, 2020

The quickest, and arguably most effective way, to compromise an organization is via social engineering. Social engineering in the digital sphere is almost always synonymous with some form of Phishing attack.

Phishing attacks, in it’s simplest form, is the basic act of luring a victim to some bait to achieve some outcome.

Think of the act of fishing. You attach a worm to your hook, and you cast it into the water. You wait, and eventually a hungry fish comes along and says, “hey, lookie here, dinner..”. They bite, and like magic, you have caught your fish.

The Phishing World

As security gets better, phishing becomes more important to bad actors. As physical networks disappear, and organizations move to the cloud, phishing is becoming more prominent.

The reason is simple, Phishing takes advantage of the one vulnerability that security professionals have struggled with since the beginning of the industry – the human element.

Phishing is often believed to come from emails, but that is only one medium. Phishing has evolved and can come from a myriad of other sources like social media and voice platforms as well.

The human vulnerability is not entirely the humans fault. Humans are creatures of habit, and technology companies have introduced habits that work counter to what we do in the security world.

To help illustrate the point, here are but a few of the things that contribute to why Phishing attacks are so effective:

  • A link, by design, is meant to be clicked on;
  • A file, by design, is meant to be opened;
  • Technology obfuscates sensitive information about where information is coming from, by design. The thinking from the biggest companies is, “don’t inundate the user with information they don’t care about”;
  • Technology allows us to leverage colors, styling and other elements to appeal to a users mind to encourage engagement (there are literally teams devoted to this form manipulation in companies of all sizes);

And now, there is a new handicap – don’t hurt your employees feelings.

Bad Actors Don’t Care About Feelings

Somewhere in the ridiculous world we live in, feelings have became part of the discussion as it pertains to keeping organizations safe.

We’re not talking about an employee being mistreated, being assaulted, or otherwise being treated less than they deserve. No, we’re talking about the offensiveness that comes with running a test that emulates a tactic a bad actor would take and an employee being offended by it’s “tone-deaf” nature.

For context, during Christmas, 2020, GoDaddy decided to run a test in which they offered a bonus in lieu of a holiday party. Here is what it read:

It was brilliant, and here is why:

  • It emulates an email that GoDaddy would have sent for other events;
  • It was crafted to take advantage of something that was most likely at the top of everyone’s mind – no Holiday party (something GoDaddy was once known for, and dear to everyone’s heart);
  • It indirectly appeals to the current state of affairs with the pandemic – “We can’t be together”;
  • It also appeals to the economic state of affairs – money is tight everywhere, and we want to make it better”;
  • The security team that put this together put themselves in the shoes of a bad actor – “what would they do?”;

I can appreciate the brilliance in this test.

Instead, what we focus on is that it was considered “tone-deaf” and feelings were hurt. Bad actors don’t care about your feelings, and as such, those that are charged with protecting a company, and it’s employees, cannot either.

The Hypocrisy is Deafening

Get hacked, and you will be blamed for failures in your strategy and team, all while getting limited funding and support. Work to avoid a hack, and you will be blamed for hurting feelings. Everyone will support the strategy, until the feeling are made public, then you’ll have to recant as if the strategy was flawed.

The irony of it all? Those whose feelings are hurt and whom the media latch onto like pariahs, are the ones being protected by these type of tests.

FYI, the last major compromise GoDaddy suffered in 2020 was by way of a Phishing attack.

In the end, we end up with another forced apology for something that shouldn’t even be a conversation. Feelings have no place in the world of security.

Tips to Protect Against Phishing Attacks

Per the Center for Internet Security, here are a few tips to help evolve your online habits and become more resilient against Phishing attacks (and tests):

  • Be cautious about all communications you receive. If it appears to be a phishing communication, do not respond. Delete it. You can also forward it to the Federal Trade Commission at spam@uce.gov.
  • Do not click on any links listed in the email message, and do not open any attachments contained in a suspicious email.
  • Do not enter personal information in a pop-up screen. Legitimate companies, agencies, and organizations don’t ask for personal information via pop-up screens.
  • Install a phishing filter on your email application and also on your web browser. These filters will not keep out all phishing messages, but they will reduce the number of phishing attempts.

Learn more about Phishing from the US Cybersecurity & Infrastructure Security Agency.

Posted in Security and tagged