Note: this project is by Dina Board
Humans, the weakest link in information security. An organization can implement the strongest and most advanced and robust security controls on their physical and logical systems and fortify their building. Yet, all it will take is an employee being manipulated, frightened, or simply indifferent to security protocols to let an adversary in. After all, humans are complex creatures, susceptible to manipulation.
I remember my first red team engagement that involved human hacking – I was nervous and a part of me felt like I was doing something wrong. Technically, I was going to be manipulating innocent people who were not expecting to be used for information or access. It felt intrusive, even wrong. I had extensive conversations with my manager, and he explained that we strictly follow a series of best practices during our engagement to complete the project in an ethical manner. What are the practices? That’s exactly what we’ll uncover together during the presentation.
Human hacking isn’t new – people have been manipulating one another for centuries to get what they want. However, conducting human hacking campaigns to improve the security of an organization – that is a relatively new concept. No hacking campaign goes without consequences though; therefore, a system is required. Yet, what kind?
Since we’re dealing with humans, which are inherently fragile, the system that we devise must be ethical. Meaning, in line with an accepted set of principles of right and wrong to minimize harm.
My presentation covers this exactly, I define what is ethical human hacking, examine why ethical testing is important and explore specific concerns associated with human hacking. You’ll find common human vulnerabilities (your desire to be helpful may be detrimental) and we’ll go through some real-life red team engagements that I worked on. You’ll be able to criticize and see what worked (or didn’t). I will explain some common tactics used and cover best practices (we’re not here to hurt people) and then will let you have a go at some hypothetical red team engagements.
When you get to the real-life team engagements and then the hypothetical ones, take your time and think about how you would approach it. What would you have done differently? Why?
As you embark on this exploration with me, consider the evolving landscape of social engineering threats. With remote work becoming commonplace and digital footprints expanding, attackers have more avenues than ever to exploit human vulnerabilities. Understanding and ethically testing these weaknesses isn’t just advantageous or “a good idea” – it’s essential for the resilience of any organization.
Human hacking will forever be a relevant and important part of information security – for no matter how much technology we introduce, humans remain integral to its operation, and there is no way to bullet proof a human being from manipulation, cognitive biases, or suppress a human’s desire to be helpful. I am particularly passionate about this topic, and hope to share some of that passion with you for this topic bridges the gap between human behavior and robust privacy protection –human hacking tests the final weakest link: us.
Discussion Questions
- What are the ethical boundaries of physical red teaming, and how can organizations ensure that assessments remain ethical and legal?
- Based on the case studies presented, what were the key security failures that allowed breaches to occur, and how could they have been prevented?
- How can an organization balance security awareness training with real-world red team exercises to improve overall security posture?
