If you attended Infosec in London last month, you may have seen the panel discussion that I was part of. It took place on the exhibition floor and was also streamed throughout the show. The topic was social engineering and I was sharing the stage with a number of experts on the subject. One of them was Jenny Radcliffe, who is pretty much the best social engineer I know. Her talks are a great listen, as is her Human Factors podcast.
Jenny’s always full of wonderful horror stories about social engineering and just how easy it can be. So when I found out that I was to share a stage with her it was clear that I needed one of my own. I headed straight to ebay and ordered a high-vis jacket with the word “Security” on the back, which cost me less than £10. I’ve often read that such an item of clothing is all it takes to get into just about anywhere unnoticed or unquestioned. Someone had even used one to get into music gigs. It was time to put this to the test.
As it happened, Infosec took place a couple of weeks after the terror attacks at London Bridge and Borough Market. Security at the show was consequently tight, and everyone was advised to allow extra time for their bags to be searched. This seemed like a good time to test out my invisibility cloak. So as I approached Olympia I took the hi-vis out of the sports bag I was carrying and put it on. I strolled straight to the front of the queue and walked in. No one said a thing. No one asked to look in my bag. No one asked why I was walking around the show without a visitor badge.
I’ve been saying this for 20 years, and it’s as true now as it’s always been. Security is not just about technology. It’s about people. If you blow your security budget on firewalls and IDS, anti-ransomware suites and data breach insurance, you’re missing out on a huge area of risk.
So here’s your homework for next week. Head to ebay and buy yourself a hi-vis security vest. Add a lanyard with SECURITY printed on it too, if you wish, and knock up a quick photo ID card on the colour printer.
Then give it all to a friend of yours whose face isn’t known in your company, and see just how far they manage to get. Just don’t promise them a prize for every protected area they manage to penetrate, or it’ll end up costing you a fortune. I guarantee it.
from My Time at Infosec Europe 2017