I wanted to share this excellent article that I read on linkedin recently. It is by Professor Daniel Solove. In the artical he discuss a recent hacking scandal involving a US baseball team. He talks about what can be considered a ‘hack’ and who can be considered a ‘hacker’ then clears up a number of common misconceptions about network security. Not all ‘hacks’ are sophisticated or technical.
I had an interview recently and I was asked about how I would go about exfiltrating data. I launched into a long winded technical answer talking about port scanning, exploiting code and avoiding IDS’s etc etc.
When I got out the interview and was driving home it suddenly hit me that what I should have said was; target the human attack vector by using good old social engineering.
Some hacks may not be sophisticated, but that isn’t always a bad thing. I truly believe the first rule of network security should always be “Keep it simple, stupid!”.
This applies for both offensive and defensive security. That is not to say that simplicity should come at the expense of functionality, all security goals should still be fully achieved, but achieved as simply as possible.
As Einstein succinctly put it “Everything should be made as simple as possible, but not simpler”.