When I studied at University one of my professors would always say, that we have to get a feel for trouble to succeed in life. (In German: “Sie müssen immer Störgefühle bekommen”.) Others would call it follow your intuition or get a hunch, but whatever you want to name it, one of the most prominent techniques to perform hacks is Social Engineering, and you definitely need to have a presence of mind to identify it.
Latest news reports described how the CIA’s director’s private email account got hacked. According to media reports the hackers did not exploit any software vulnerabilities, but used Social Engineering to obtain private information that would allow them to call a help line and pose successfully as the victim to reset the account’s password. Apparently they were able to do this three times after the victim had managed to reset the password again. Needless to say they leaked the information at least partially.
In this chain of events a few people did not get a feel for trouble. Neither did the people who fell victim to the Social Engineering attack and provided the hackers with the private information, nor did the help line employees from the email provider think anything strange about repeated password reset requests for the same account in a short time frame. Now there should be threat detection support for the latter. A red flag should show up when you receive too many password resets in a short period of time for the same account.
What does this teach us? You cannot only rely on security technology to safeguard your assets. You also have to use your upper faculties to defend successfully.
Gerlinde 