Friday, 19 August 2016

Security consultant might just be a guard

Seeking and loathing
On one of the dating app haunts that I sometimes ply, I came upon an elaborate profile in general terms, but something stood out that I decided not to ignore.
The young man had stated that he was a security consultant with a major bank. Now, having seen thousands of profiles, some angry, some demure, many empty and quite a few demonstrative of angst, insecurities, inadequacies and dare I say prejudices, I have been tempted to write a guide to useful dating profiles.
Then again, it is not like I have been entirely successful in my quest for companionship through dating apps or websites. However, what you do see on my profile in the main will be what you get. I rarely mince words and sometimes my old-fashioned self, requiring correctness, politeness, comportment and much else gets in the way of simple engagement.
Can we talk for a minute?
Yet, I thought to engage this young fellow to illustrate a looming risk in telling strangers on dating sites such unnecessary detail as to whether you own your homes, have a car, have the greatest job on earth and other puffery that is of no particular relevance than a possible endangerment.
I started with ‘Let me humour you …’, to have a high profile job at your age must be commended, however, in putting it out there, you create a vulnerability profile around yourself that can be exploited by nefarious people or organisations. Whilst they might not come for you, they can go for close contacts around you besides the possibility of you being a Trojan horse into your banking organisation.
Just over an hour after I sent the message, I got the response, “Try and social engineer me, just try.” The young fellow had missed the point. And so I responded.
Missing the point entirely
Social engineering is passé and that is mostly for low hanging fruit. As a security consultant, you have access and knowledge that ordinary users will not have. You have a nickname you have used on this site that will probably be the same on others.
Your picture appears here and simple Internet tools can be used to match your picture possibly to an identity on Facebook or LinkedIn and after that, they only have to build a vulnerability profile that they can exploit without you knowing that you are being stalked online.
In closing, I said, “We technical people have to be careful that either our of carelessness or hubris, we expose our organisations to more harm than we are willing to admit our acts of wilful stupidity cause.”
Unlearning arrogance
I was blocked. Blocked probably because he thought I was attacking him or he felt that he was too good to be taking advice on issues where he is supposed to be the expert.
A simple example of the silliness of putting such a risk intensive role online in forums like a dating site is for someone to go around saying they are secret agents. Others would either go for the agent or go for people around that agent to gain access acquaintances to whom some connection can compromise the resolve of the agent.
Then again, there is a know-it-all syndrome that I have observed amongst certain young people who have created an incapacity to learn or be advised, they are single-mindedly impervious to any instruction and rapidly chart a course to perdition.
Probably maybe
An alternative response would have been to acknowledge that there was a point being made borne of other experiences and that could be used to improve oneself. It is a question of attitude.
Suffice it say that the said nickname appeared on other sites, but for the fact that one, I have nothing to prove and two, I am not malevolent. It would have been an interesting exercise to create the profile I told him of and send it to him, but honestly, it would have been a waste of time in any case.
When I relayed the tale to a friend, he suggested the fellow might have been in security as a security guard. Not once did I contemn him, but his reaction belies that great possibility, he has keys to doors and not keys to data.


No comments: