Page - 247 - in The Future of Software Quality Assurance

Security: It’s Everyone’s Business! 247 2 TrainingSecurity Testers Thisexample is a security test. Security testing needs to considerwhat is knownas the“iron triangle”of: • Technology • Processes • People The testingwedoisnot,andshouldneverbe, limited to technologyalone.Many people today still think you can “buy security”, or that security is limited to a technical solution. Hackers use computers, we will be hacked, therefore hackers attacking theorganisationwill use computers. Butconsidertheexampleabove.Theonlytechnologyinvolvedwasaprogramme first released in 1985. This hack relied on people vulnerability—theguard wanting to be helpful. It showed a weakness in the process—I didn’t scan my card (the process) because the guard scanned their own card in trying to be helpful. How couldthisbestopped?Couldtheorganisationhiremeanerguards?Thinkonthis for a second . . . Anumberofthingscouldbesuggested.Theprocesscouldbechanged,butunless it is enforced, incidents like thiscouldcontinuetohappen.Awareness iskey—ifthe guards know that someone might try this, they can be aware of the situation. We have all heard of the “mystery shopper”—what we need is a “mystery hacker”. Or in other words, a security tester. The organisation must train the guards and staff to recognise social engineering—the science of skilfully manoeuvring people to take some desired action. Why would a guard open the gate for me? Because I presenteda situation to themthat appealed to their goodmanners.Youknow, those thingsyourparents toldyou,“Wash yourhands,sayplease, andhold thedooropen for others . . .” (I was also told to add “Clean up your room!”—thanks for proof- reading,Dad). But this training should never stop at the staff in reception. Upper management also need to not only sponsor initiatives on security, they themselves need to participate in security training. They are a huge, visible target—it’s easier to find details of an organisation’s CEO than the name of a person in Accounts Payable. Look at the organisation’s annual report, or your country’s company register (Companies House in the UK). Then, using sites like Google or LinkedIn, look themup.Evengoing further,usinga datamining tool suchas Maltegocan uncover a malicious user’s treasure trove of publicly available information. Much has been writtenaboutspearphishing—targetingan individual fora specificphishingattack. It’s vitally important for senior staff to understand the threats posed against the organisationand the possible vulnerabilities that could be targeted. But only not in general terms, thespecificattacks focussedon just them. Businessemailcompromise(BEC)has, foranumberofyears, reliedonasimple fact: Noonequestions theBoss!