Yesterday, at the GTISC summit on emerging security threats, the panelists reminded us of just how bad it is out there. Will my customers be vished? Will the botnets infect my network? Will some nation-state/criminal entity – ripe with script gurus – eat my lunch? These kinds of threats continue to grow in number, sophistication, and impact.
The one thing that I didn’t hear was a lot of talk about great successes in process-level security. This was especially worrying since we were told that application-level attacks are rising. Vishing is a good example. To a vished customer, the criminal’s process can feel just like your business process. For all the customer knows, he was using your processes and giving you his trusted information over the phone – his trusted phone. No one can hack that, right?
A few years ago, I co-keynoted a user conference with Kevin Mitnick. I was a little uneasy at first, Kevin being such a well-known, former black hat. But, if he had no problems co-keynoting with a well-known Methodist, who was I to complain. Kevin gave a roaring talk and demonstration with a strong focus on social engineering. Social engineering came up a lot yesterday too. Is social engineering the most obvious security threat that is most routinely overlooked by your business process analysis and design efforts? I’m just speculating, but I’ll bet your processes – and, critically, your process participants – are exposed as sitting ducks, waiting to be blown out of the water. Or do you know something that a panel of security experts didn’t? I know who I’m betting on.