[ad_1]
Social technologists can sometimes cross ethical and legal boundaries, with serious consequences, warns Sharon Conheady, director of First Defense Information Security Limited, at IRISSCON 2022.
While working in ethical social media technology trials, Conheady has made several notable statements, including using an unsuspecting security guard to help him transport a stolen computer monitor, another, He became a foster worker to get out of the football field unnoticed.
Despite the cleverness and fun of these experiments, Conheady warned against this type of activity, saying that it is “interesting” to famous robbers of the past, such as Victor Lustig, who “bought” the Eiffel Tower .
“Attackers don’t have to deal with formal and legal procedures, but we as security professionals have to think about it,” Conheady said.
He emphasized that “there are a lot of rules you’re going to break” that ethical testers must be aware of in their work.
These are:
- Fraud and trademark infringement – for example by creating a fake website or impersonating a person or organization in emails or texts
- Data protection and privacy – such as recording private conversations
- Breaking and entering – for example, picking locks to enter a house
- Bribery and corruption
- Theft of physical assets, information and identities
- Misrepresentation or suspicion – especially of the police
Knowing the local laws is the most important thing before taking any action, and Conheady said that what is allowed by law in one region may not be in another.
In addition, social engineering testers must ensure that they remain engaged in their work. “It’s very easy to get carried away when you do it because they’re so happy that you want to move forward,” he said, adding that social engineers are “egging each other.”
For example, methods like “USB droplet” are dangerous because you don’t know where it will come in – like friends and family of an employee.
These professionals must also ensure that their work is safe, both for themselves and for the client. In one case, two security experts were arrested in 2019 for breaking into a courthouse in Iowa, US, despite having been contracted by the judicial arm of the state.
Although the charges were later dropped, Conheady said “a lot of social engineers in the industry are going to think twice about what we’re going to do as part of the experiment.”
The Iowa case shows that social engineers must make their contracts for this type of work “100% ironclad.”
Contracts should include:
- A description of the test and the various activities involved
- The window of time you are allowed to test
- Bonds and bonds, for example, are places / teams outside of the place
It is also necessary to ensure that the contract is reviewed by the relevant departments in both the tester’s and the customer’s organizations, especially the legal and HR teams.
Social engineers should also carry their ‘get out free card’ if they get caught or get into trouble. This card should include the names of the other examiners, explain what they are doing there and the names of at least two contacts within their own organization and the organization that authorized the tests.
While the practices are legal, they are not necessarily ethical, Conheady cautioned. He highlighted several phishing email tests conducted by major organizations during the COVID-19 pandemic as highly questionable.
For example, a phishing test email by British train operator West Midlands Trains claimed to offer cash bonuses to staff to thank them for their work during the pandemic, much to the dismay of employees when they know it’s fake.
“If you introduce this type of testing to your organization, be prepared for the negative publicity that follows,” Conheady warned. He added that these measures will be ineffective if the company leaves and the workers return.
To avoid these ethical dilemmas that may arise, Conheady advised security professionals preparing a social engineering test to first check with legal and HR departments. They should “rethink the way people participate when they realize they’ve served the community.”
Ultimately, Conheady said social media testers need to understand what they’re getting into and recognize the pitfalls.
“If you’re going to look like a bad guy, you better act like a bad guy,” he said.
[ad_2]
Source link
