Skip to main content

Featured

What Motivates Young Cybercriminals?

In the world of cybercrimes, the majority of cybercriminals always seek financial gain, but this is not the primary motivation. Aside from the advanced sophistication of state-sponsored incidences, the young cybercriminal venturing into the dark side boils down to their ego. Adolescent criminals seek out recognition among their peers eager for a sense of success in an effort to prove themselves.

Many seek out popularity within internet hacking communities driven by a feeling of accomplishment they compromised a target. This provides them with a rush, a demeanor to develop their skills further becoming tragically involved with organized crime immersed in their addictive and dangerous sphere of influence.

Others find inadequate employment opportunities and thus are lured into the dark side to learn a skill as a matter of survival by participating in online hacking groups. They are easy prey for organized crime and state-sponsored groups to recruit indoctrinating them into …

Information Security Politics on How to Influence



I have always been passionate about this industry never giving up my quest sharing my knowledge which spans over twenty years as an independent consultant in the field. Having the privilege of working with a wide array of Fortune 100 corporations that also includes the federal government and state agencies, much experience was gained maneuvering the political minefield of this industry to become successful. It is not an easy road, not only mastering the technical and compliance skills which are a given, but the people skills must be polished to reap the benefits of influence, of awareness, and get the people with the powers to buy into your visionary roadmap.

By understanding and avoiding those pitfalls will demonstrate what it would take for the aspiring security professional to learn the ropes of politics within this industry from the human equation. I will discuss best practices maneuvering corporate politics so one can play the political game well to advance their careers and contribute to the industry.

Influence The Human Weakness

Most information security controls can be bypassed or subverted by careless or unaware end users.  I have lost count of the number of times I have heard an end user state, “I had no idea that there was a policy on that.”  The human is the weakest link when it comes to addressing the issue of security controls. When researching a successful breach, I find many of us from the outside exhibit a pejorative reaction against gullible people and wondering if that is a knee-jerk reaction coming from human emotion rather than logic.

We as humans are involved and always gravitate to the path of least resistance, taking shortcuts, ruled by temptation, and that is the attacker’s intent to know more about you to deceive. Deception is the attacker’s greatest weapon, and that goes for each and every one of us as well in our daily lives. As security professionals, we consider ourselves hard to manipulate and can smell some con miles away, and as we observe many outside our profession, they seem more gullible. This, in fact, makes us misjudge our capabilities and one of the many reasons we fail to influence upper management. Influence generates income as proof to the enormous profits corporations, religious groups and other organizations that make using these techniques.

Denial

Humans, in general, are in denial by their very nature and tend to think bad things like data breaches, death, accidents, crime, natural disasters and the like happen only to others. If you are a student of physics, Newton’s law states that for every action, there is an opposite and equal reaction. So when I look at the reasons why are they in denial, human response, there must be an action that triggered the rejection. Why do humans routinely in a fixed pattern react by denying major life events? The reason is humans think they are good at spotting deception, that people seldom deceive and it happens to others, not to them. These knee-jerk reactions make us feel without thinking of requests, we are “unaware” of our responses. But the reality is that some people in denial prefer the lethal consequences of their rejection as long as they don't have to question their own motivations, beliefs, and ideologies. People in denial go through their daily lives secure in the knowledge that their self-image is protected against any information, feelings, or awareness that might make them have to change their view of the world. Nothing, not even facts, not observable behavior, not the use of reason, logic, or the evidence of their own senses will make them reevaluate that worldview.
This is one of the hardest to change behaviors,  getting people out of denial to make them aware that they are unaware. Techniques to use are:





  • Patience - Denial is a coping mechanism. Willfully ignoring facts helps some people maintain sanity in insane situations. For others, it postpones the need to deal with them. Call it a shock absorber for the soul where some people need more time than others to face the realities of a given situation. Vexing for you, but necessary for them.
  • Distinguish denial from lack of knowledge - Ignorance can be remedied by gathering information that allows you to make better decisions. Denial is refusing to acknowledge the facts. So make sure that the person having a hard time accepting a situation understands the options, causes, and remediations, what to expect. Share articles. Encourage conversations with experts, or with others who've been in similar circumstances.
  • Calmly repeat the facts - Do it without sounding judgmental by calmly present the events that led you to your own conclusions: "The DDoS attack is targeted at our web servers, and it is steadily increasing rapidly consuming our resources to the point they become unresponsive. As a CIO you told me yourself that business group made critical errors with their applications in their zeal to push it ahead without proper testing requiring perimeter firewall changes. I think the CEO and board should hear about these changes and check them out." Write them down and repeat, repeat again, as necessary.
  • Leave your ego behind - When denial leads someone to criticize your choices, never take it personally. Their reaction is just their lack of knowledge defense, understand it, be kind and repeat the facts calmly.
  • Encourage discussions about why they are in denial – Be cleaver on how you do this encouragement. Be understanding and ask exploring questions "Why do you think our firewalls will mitigate the DDoS attack in progress?” "What would be the worst that would happen if we spoke to the business unit in question and offer to help them secure their application?” The main point is for them to realize they are unaware and in denial once you accomplished that, you eliminated a significant barrier from winning them over.
  • Never confuse denial with giving up hope - Denial means avoiding the factual realities because they are just too painful to embrace, and to the extent that in doing so you also deny becoming aware of the facts. Many people are aware but just are asking the wrong people for answers or just need encouragement. Be a good listener to depict what they're trying to convey.

Authority

People generally respond obediently to authority and are brought up to respect it in their daily lives. When used correctly it is a powerful influence, however, be cautious how it is administered as it can backfire as total resentment. Authority is more than telling someone what to do and how to do it. To the security professionals under authority, work it in reverse to influence others having the power. Humans perceive authority in many ways, your boss and those individuals higher up the food chain in all organizations. Law enforcement, religious leaders such as priests, bishops, elected politicians and even wealth play into account how we identify someone with authority. Here lies the most common exploit an attacker does by using social engineering, where an attacker masquerades as someone of authority to deceive you into divulging information.

Here are some techniques to properly use authority to influence:
  • Have common courtesy and interest in others - It is a function of taking the time to know what is important in people’s lives, understanding the fundamental values that drive them, listening to their ideas and acknowledging their worth, extending to them the same kind of concern for their welfare as one would expect for themselves.
  • Create a broad network of professional relationships inside and outside the organization.
  • Always think of negotiation and persuasion regarding mutual benefit rather than manipulation, a win-win scenario.
  • Strive to solicit the opinions and perspectives of the people whose support is essential.
  • Build a partnership with the people who will be most affected by an initiative and whose buy-in is crucial to success.
  • Be transparent about your personal motivations, and never be hesitant to “over-communicate.” Articulate and get your point across.
  • Give credit where credit is due to sharing it with others.

The Proof is Social

When in Rome, do as the Romans do. When visiting a foreign land, follow the customs of those who live in it. It can also mean that when you are in an unfamiliar situation, you should follow the lead of those who know the ropes. People make decisions in the same way when they are uncertain; they make their decisions by seeing how others do in their surroundings. Often, when I ask during a security assessment why are you sharing your access credentials the response I get is “we do it all the time around here.” It is the social norm that humans are creatures of habit. Interesting that this can quickly spiral out of control where a devastating breach can occur, and nobody will act upon it. People are playing the I am too ignorant to know or do anything about its game. Yet ignorance may be bliss, but it does not hold up in court due to a severe breach that has landed people in jail. Through social engineering, a smart attacker can use the techniques of persuasion by telling the target everyone else is doing what I am telling you to do such as giving out login credentials or other highly confidential information. If there is proof or the target knows this to be true, it would be tough to resist the request.

What I am illustrating are techniques to influence by example:
  • Identify a vulnerability and orchestrate an example by testing the results.
  • Demonstrate the exploit in a presentation, live if possible to senior executives.
  • Map out mandated compliance requirements the exploit is in violation of and the consequences.
  • Present facts where similar exploits have occurred in their industry and the consequences they suffered.
  • Demonstrate security is a vital part of business enablement to protect their crown jewels from being compromised.
  • Solicit their point of views and support on how they can become instrumental and involved in securing their vital assets.
It is imperative that aspiring information security professionals and in particular, the CISOs and Director's master the art of influence within their organizations. We are not known to be the most significant influencers around because of our outdated way of thinking. Yet what the profession does is the mindset of protection, what keeps us up at night is thinking if we have done enough to protect our organization's assets, always remembering what more can we do with resources available.

Security in any organization is everyone’s business at work, and at home, many of us take it for granted. It is this fact alone that the power of influence will pave the way to make a sound vision a reality and it begins with understanding the human weakness and how to deal with it on a daily basis.