No matter how secure you make your network you will always have one significant weakness: the users. Humans are terrible at risk management and if somebody doesn’t understand the risks involved in specific actions it is almost impossible to train them not to do those actions. Consider phishing scams. They often rely on e-mails that look like they’re from a specific site, say Gmail, that include a scary message about your account being unlawfully accessed and a link to a site where you can log in to change your password. Of course that link actually goes to a site controlled by the phisher and exists solely to steal your password so they can log into your account. But most people don’t understand the risks of trusting any official looking e-mail and visiting whatever link it provides and entering their password so training people not to fall for phishing scams is a significant challenge.
Even people who are in positions where they should expect to be targets of hackers fall for phishing scams:
On March 19 of this year, Hillary Clinton’s campaign chairman John Podesta received an alarming email that appeared to come from Google.
The email, however, didn’t come from the internet giant. It was actually an attempt to hack into his personal account. In fact, the message came from a group of hackers that security researchers, as well as the US government, believe are spies working for the Russian government. At the time, however, Podesta didn’t know any of this, and he clicked on the malicious link contained in the email, giving hackers access to his account.
While the United States government and some security researchers point the finger at Russia it should be noted that this kind of scam is trivial to execute. So trivial that anybody could do it. For all we know the e-mail could have been sent by a 13-year-old in Romania who wanted to cause a bunch of chaos for shits and giggles.
But speculating about who did this at this point is unimportant. What is important is the lesson that can be taught, which is that even people in high positions, people who should expect to be targets for malicious hackers, screw up very basic security practices.
If you want to make waves in the security field I suggest investing your time into researching ways to deal with the human component of a security system. Anybody who finds a more effective way to either train people or reduce the damage they can do to themselves (and by extent whatever organizations they’re involved in) while still being able to do their jobs will almost certain gain respect, fame, and fortune.
Most of the scams are pretty transparent, but occasionally I get one done well enough that I ask myself, “Is this real?” I think the best frame of mind is high suspicion even when it seems very clear that the contact is legit.