[ISN] Security Tool Tricks Workers Into Spilling Company Secrets

http://www.wired.com/2015/08/ava-human-vulnerability-scanner-finds-your-weakest-security-link/ By Klint Finley Business Wired.com 08.11.15 TRICKING PEOPLE INTO bypassing security measures, revealing passwords, and disclosing confidential information is called “social engineering” in the computer security business. It’s a huge problem, and it’s one Laura Bell, founder of the New Zealand security consultancy SafeStack, was contemplating while home on maternity leave two years ago. Although many companies have mandatory security trainings, she realized there’s no real way of knowing whether such training is effective until it’s too late. What her clients really needed, she decided, was a way to identifying the employees most vulnerable to social engineering attacks. There wasn’t anything like that available at the time, so working in half-hour increments as her daughter slept, she created AVA, a free open-source tool for what Bell calls human vulnerability scanning. But not everyone is happy with the results. “Some people have said I should go to prison for releasing this,” Bell says. First, a hypothetical example of social engineering at work. Imagine you’re a junior help desk technician at a large company. You’re low on the corporate ladder, and constantly worried about keeping your job. One night you get a text from a number you don’t recognize. “It’s Ted,” the message reads. “I need my password reset immediately. Lots of money riding on this deal.” […]