‘There Will Never Be an End.’ Mandiant’s Nadean Tanner on Infosec
Infosec will always be a moving target, and the only consistent defense strategy is “hyper awareness.”
There are numerous ways for attackers to get into a company’s network infrastructure. The hard way is finding a security vulnerability and delivering a payload. The easiest way – by far – is through social engineering. That’s according to Nadean Tanner, a consulting manager for education services at Mandiant, the company formerly known as FireEye.
“Social engineering, I think, comes to a lot of people naturally,” she said. And humans’ natural desire to help makes the attackers’ job even easier. “People want to be helpful. They really, really do.”
A CEO’s assistant, for example, could answer a phone call and a pleasant-sounding voice at the other end of the line could say that they had met the CEO at a conference (perhaps the CEO had posted about the event on LinkedIn). “Yeah, I met him right after that talk that he gave, and he wanted me to send you my resume. He gave me his card, but he told me to call you, and he gave me this number. I just wanted to let you know that it’s on its way.”
Primed with the courteous heads-up, the assistant would read the email and click to open the attachment. The malware would take it from there.
“Yeah, that one’s been done before,” Tanner said.
Millions of emails are sent every day with nefarious intent, and somebody is always one click away from stealing your identity or abusing access to your system in other ways. Infosec is and will always be a moving target, while hyper awareness of the danger is the only consistent defense strategy.
“It’s an art to teach people what it’s about, how to be hyper aware without being too terribly paranoid. You do have to live your life,” Tanner said.
A long-time infosec professional, she specializes in teaching people about cybersecurity “hygiene” and how to be hyper aware.
Grace Andrews, principal product evangelist at Equinix Metal, recently spoke with Tanner about the state of infosec at home and in the enterprise on the Beyond Digital podcast. Listen to the third and last episode in our series focused on security.