Let us turn to “Social Engineering” for a moment. The first thought for many of us is the writings of Kevin Mitnick (The Art of Deception and The Art of Intrusion, co-authored with William L. Simon) that used real-life and hypothetical stories to demonstrate how social engineering can be combined with hacking to bypass technical security controls. We think of the call to the help desk in the middle of the night to unlock the executive account, and the psychological pressure exerted by the attacker implying retribution if the task is not carried out immediately. Or perhaps a rogue website that is accessed through a series of phishing emails that in turn collect sensitive information.
But what about an attack on a security system that affects the availability of the action of the security controls and/or the availability of the resource that the control is intended to protect? Compromise of data then simply becomes a waiting game for the would-be attacker. This “un-social” engineering attack may include little or no interaction between the attacker and the target. Let us dub it “pressure engineering” or a subset of social engineering.
Imagine a Mr. Mugglesworth working under a tight deadline. At the completion of the work, it must be submitted, transmitted and/or stored in a secure manner. Mugglesworth is as good about following the security procedures as he is about getting his work done on time. Indeed, Mugglesworth is trusted with some of the most sensitive information in the company. But when he tries to submit his work, something is wrong. The security control is not allowing him to proceed. Or the system is not able to accept the work in a secure format. The pressure mounts as the deadline approaches. Mugglesworth is counted upon to complete his work on time, and a missed deadline with “security” as an excuse simply will not do. The temptation to bypass the normal security procedures in order to complete the task is great – especially since the technical or managerial resources are not responsive. (It is after-hours and no one is available to assist.) When the right personnel are available to assist, the deadline will have long passed.
Will Mugglesworth or his superior make an “executive decision” to handle the sensitive information in an insecure manner? Or will they wait it out? The pressure mounts… pressure engineering has been applied.
The answer to this question will depend on the security culture at Mugglesworth’s organization. It may depend on the type of security training and the expected employee response that is cultivated. It may also depend on how the technical issue is escalated and the organizational response.
Where do “Da Rules” fit in at your organization? What would Mr. Mugglesworth do if he worked for you? How would you and your organization address this scenario?
