BRAMPTON, Ont. — As a penetration tester Joshua Crumbaugh has a number of weapons, the biggest of which are his research skills and his determination.
He’s talked his way into getting a U.S. bank to install ‘malware’ and ultimately into getting into the vault, and convinced the IT support department of an international law firm into giving him an administration password — both over the phone.
So it’s no surprise that Crumbaugh, who now heads the Alabama-based security awareness training firm PeopleSec, says employees are the real block to improving digital security.
“I would argue 100 per cent of breaches are the result of people,” he told the International Cyber Security and Intelligence Conference Wednesday.
Too often the blame for cybersecurity incidents falls on staff, he added. “More often than not it’s not the fault of the person but management for not properly training people,” he said.
In fact in an interview he argued the overwhelming amount of an organization’s cyber spending should go to training. “It’s 90 per cent of the problem, so it should get 90 per cent of the budget.”
Most organizations devote five per cent of their budget to awareness training, he said.
“You can buy a $10 million security box, but it’s not going to solve your cyber security problems because at the end of the day it’s always people. People let you [an attacker] onto the network, mistakes by your IT operations allowing you to get full access, cultural problems because there’s not a top-down initiative from the CEO or COO all contributes to this perfect storm to where hackers can get into any network.
“I’ve never had a single network keep me out.”
The best awareness training content, he said has four elements: It’s entertaining; encompassing (tailored to the staffers’ duties) engaging; and most importantly, effective (by which he means is it affecting three metrics: are we reducing time to detection, time to detection and time to remediation).
These, he adds, are the only metrics that should matter to a CISO — not how many people are falling for phishing scams.
Making training entertaining isn’t that hard, “We make content too long and cover too many products. If I can engage you in any way — make you laugh cry fear — it will help anchor a lesson. Go onto YouTube and use hilarious videos in a presentation. We can make anything entertaining, we just have to try harder.”
He criticized a landing page one company displayed to staffers who fell for a phishing test that showed 12 ways to avoid clicking on a suspicious link. That’s too much information, he said: All staff need to know is think before you click.
Hackers rely on research
It’s hard to argue with Crumbaugh’s logic when he spins stories like how he got into a bank’s vault. The short story is he researched the institution’s email service and found an online forum with complaints about the ISP that provided the service. So phoned the head of IT and pretended to be a rep from the ISP who was calling to email him a new configuration file to solve the problem. The grateful official fell for it — even though he’d been warned by management there’d be a pen test that day.
Lesson: Hackers will research target firms and use anything they find to con you.
In another case, it took Crumbaugh five minutes to convince an IT support staffer over the phone at a law firm that he was doing legitimate work. He got the staffer’s password, which also gave him access to the firm’s domain controller.
Making an appointment to access the data centre, when he arrived at the firm credentials were already waiting for him at the front desk. However, once in the data centre he was challenged by an IT staffer who escorted him out. Then Crumbaugh began a song and dance about what a hard day he was having and his wife was divorcing him — and the staff let him walk away.
Lesson: When you’re tempted to ignore a security protocol or are being entertained so much to realize there’s a problem, that’s when you need to be overly cautious.
Hackers will do almost anything to gain people’s trust and get them to do something, he warned — a favourite of Crumbaugh’s was to explain he’d come to their office to fix network latency, a spiel he says was guaranteed to make eyes glaze so people would leave him alone — including showing sympathy for their problems.
“Building camaraderie is a huge part of social engineering, and also one of the red flags you look for.”
The conference, which continues Thursday, was organized by the Ontario College of Management and Technology, a private career college.