In conclusion, Jordan Harbinger tells a few stories from his past experience to underscore the weakest human component in information security chain.
So, the solutions are obvious, right? Training: sure, you got policies with respect to social media in your company, and you’ve got this classified info, and you know you’re not supposed to divulge all this stuff. But if someone’s ready to jump ship, if you don’t care about the company anymore, you don’t give a crap, right? You don’t care. You think: “Well, I’m not doing any harm, I’m just looking for another gig. I’m not really hurting anyone by talking about this stuff. This is a recruiter, what is he going to do? He just wants to know. No big deal.”
Of course, you don’t know that there’s a malicious angle to it, because you’re not thinking about that, you’re just looking out for yourself. So, a company like White Hat Defense, or a shortlist of other highly qualified trainers can work miracles. And if you’ve had training already, a lot of you would be like: “Oh, I’ve already had training, I’m good.”
When is the last time you took the class yourself? And when is the last time you gave it to your staff? And also, do you remember what you learned in that class? Because I took a course a few months ago, and you don’t remember 80% of what you learned, even if you were there for 4 straight days. So, if you don’t remember what’s taught, you know damn well that nobody else on your team does.
And if you think that your staff would never fall for this, I’d like to just recount a brief story that happened to us at The Art of Charm. We were moving from New York to LA, and we decided: “Ok, cool, we’re going to do the work for, like, 6 weeks in between these two things, these two locations.” And so we’re going to pack all our earthly belongings and we’re going to send them through the shipping company with a big crate and put them in the storage unit, and then we’ll come back and have them ship all that stuff to LA, and that was a great idea. Except when we got to LA and we called that company, their number didn’t work anymore. And then, when we googled and investigated it and found different locations on the map and the warehouse that they used, I called the warehouse, and the kid who worked there was like: “Yeah, they went out of business, like, 3 months ago,” which is funny, because I hired them a month and a half ago.
All of our stuff was gone, and he looked and looked, and we called him every day and we offered him $1000 if he could find our stuff. And finally some good news came back and he had some of our stuff, so he packed it all into a box and he mailed it over, and out of the 26 boxes of crap that we sent to this storage unit in Pennsylvania, we got 13 boxes back; all of the valuable stuff was gone and all of our clothes were soaked in all of our toiletries, that was ‘great’. So, all this stuff was ruined; not only have we been ransacked, but everything was ripped open; and what was really missing besides the electronics was all our luggage, which I assumed had been used to carry away our electronics.
Basically, if you’re thinking: “I would never fall for this” – realize that everybody can fall for this; it doesn’t matter how sharp you are. My assistant who found that company, and we do not want to put the blame on her, obviously did her homework as much as she could have, and just found a place where price matched, called, the guy was nice on the phone – fine, you’re hired, right?
So, I would propose an independent HR department or a security department, where people don’t feel isolated, because the thing is people make stupid decisions and they don’t think critically when they’re isolated. And if you’re looking for a new job, you can’t tell your boss, you can’t tell your colleagues, you can’t tell HR, because you don’t want to get fired. The problem there is a lot of the information that I elicited would never have come out if people were like: “Hey, I’m talking to this recruiter and he just needs to know a few things about what we’re doing here. Do you think it’s a good idea?” – “You probably should just tell him you can’t tell that and he’ll have to understand.” – “Oh yeah, maybe I should do that.”
But if you can’t bounce that off of anyone else, you’re just going to do what I ask you to, because you don’t know any better and you want that job so bad. And this is why con men and salesmen operate best in the vacuum: if you are thinking critically, if you have a moment to think – a lot of times you’re going to choose the right decision, which is: “Keep your freakin’ trap shut, someone’s going to poke holes in that.”
In conclusion, obviously, the human element of security is the weakest, always, and it always will be. The sophistication of our systems improves all the time, but the software that’s in your brain really doesn’t. In fact, it degrades over time as we become complacent.
And I’m going to skip the ending story that I had for you all, because I think you guys are pretty sharp and obviously understand this. But essentially, when I was in college our computer lab kept getting robbed over and over again, and finally they installed the keycard thing, where you had to insert your student card to go in and get to use the computers. And they still got their stuff stolen, and they finally installed all these other locks and these verification things, and you had to sign in and everything. And then they finally installed a really expensive video surveillance system, and they still got robbed, but when they reviewed the tape they finally realized how these guys were getting in, and the way they were getting in was they were knocking on the door and telling whoever was there that they forgot their card; and they would wait until everyone left, and then they would steal all of the stuff.
So, no matter how expensive your locks are, no matter how awesome your security system is, it’s not worth a crap if someone’s going to open the door from the inside. So, I’ll leave you with a quote from Paul Wilson from BBC’s “The real hustle”. He says: “If you’re the type of person that thinks they can’t be conned, then you’re exactly the type of person that I would like to meet.” Thank you!