Note: this project is by Dina Board<\/p>\n\n\n\n
Humans, the weakest link in information security. An organization can implement the strongest and most advanced and robust security controls on their physical and logical systems and fortify their building. Yet, all it will take is an employee being manipulated, frightened, or simply indifferent to security protocols to let an adversary in. After all, humans are complex creatures, susceptible to manipulation.<\/p>\n\n\n\n
I remember my first red team engagement that involved human hacking \u2013 I was nervous and a part of me felt like I was doing something wrong. Technically, I was going to be manipulating innocent people who were not expecting to be used for information or access. It felt intrusive, even wrong. I had extensive conversations with my manager, and he explained that we strictly follow a series of best practices during our engagement to complete the project in an ethical manner. What are the practices? That\u2019s exactly what we\u2019ll uncover together during the presentation.<\/p>\n\n\n\n
Human hacking isn\u2019t new \u2013 people have been manipulating one another for centuries to get what they want. However, conducting human hacking campaigns to improve the security of an organization \u2013 that is a relatively new concept. No hacking campaign goes without consequences though; therefore, a system is required. Yet, what kind?<\/p>\n\n\n\n
Since we\u2019re dealing with humans, which are inherently fragile, the system that we devise must be ethical.\u00a0<\/em>Meaning, in line with an accepted set of principles of right and wrong to minimize harm.<\/p>\n\n\n\n My presentation covers this exactly, I define what is ethical human hacking, examine why ethical testing is important and explore specific concerns associated with human hacking. You\u2019ll find common human vulnerabilities (your desire to be helpful may be detrimental) and we\u2019ll go through some real-life red team engagements that I worked on. You\u2019ll be able to criticize and see what worked (or didn\u2019t). I will explain some common tactics used and cover best practices (we\u2019re not here to hurt people) and then will let you have a go at some hypothetical red team engagements.<\/p>\n\n\n\n When you get to the real-life team engagements and then the hypothetical ones, take your time and think about how you would approach it. What would you have done differently? Why?<\/p>\n\n\n\n As you embark on this exploration with me, consider the evolving landscape of social engineering threats. With remote work becoming commonplace and digital footprints expanding, attackers have more avenues than ever to exploit human vulnerabilities. Understanding and ethically testing these weaknesses isn\u2019t just advantageous or \u201ca good idea\u201d \u2013 it\u2019s essential for the resilience of any organization.<\/p>\n\n\n\n Human hacking will forever be a relevant and important part of information security \u2013 for no matter how much technology we introduce, humans remain integral to its operation, and there is no way to bullet proof a human being from manipulation, cognitive biases, or suppress a human\u2019s desire to be helpful. I am particularly passionate about this topic, and hope to share some of that passion with you for this topic bridges the gap between human behavior and robust privacy protection \u2013human hacking tests the final weakest link: us.<\/p>\n\n\n\n