Security Tool Tricks Workers Into Spilling Company Secrets

[InfoSec News <alerts () infosecnews org>]

http://www.wired.com/2015/08/ava-human-vulnerability-scanner-finds-your-weakest-security-link/

By Klint Finley
Business
Wired.com
08.11.15

TRICKING PEOPLE INTO bypassing security measures, revealing passwords, and 
disclosing confidential information is called “social engineering” in the 
computer security business. It’s a huge problem, and it’s one Laura Bell, 
founder of the New Zealand security consultancy SafeStack, was 
contemplating while home on maternity leave two years ago. Although many 
companies have mandatory security trainings, she realized there’s no real 
way of knowing whether such training is effective until it’s too late.

What her clients really needed, she decided, was a way to identifying the 
employees most vulnerable to social engineering attacks. There wasn’t 
anything like that available at the time, so working in half-hour 
increments as her daughter slept, she created AVA, a free open-source tool 
for what Bell calls human vulnerability scanning. But not everyone is 
happy with the results.

“Some people have said I should go to prison for releasing this,” Bell 
says.

First, a hypothetical example of social engineering at work. Imagine 
you’re a junior help desk technician at a large company. You’re low on the 
corporate ladder, and constantly worried about keeping your job. One night 
you get a text from a number you don’t recognize. “It’s Ted,” the message 
reads. “I need my password reset immediately. Lots of money riding on this 
deal.”

[...]

--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/