33-vento orientale, Taccuino Sanitatis, Casanatense 4182
The North Wind and Sun have a bet to see who can make a man remove his coat. The wind goes first and blows hard, which makes the man wrap his coat ever tighter around his body. The wind tries harder, but the harder he attacks, the more the man wraps his coat around him. Eventually the North Wind gives up and lets the Sun try. The Sun flexes her muscles and starts to shine as hard as she can. The temperature rises and eventually with the sun beating down on his back, the man removes his coat and is finally exposed to the Sun’s advances.
What has this got to do with InfoSec? Think of the North Wind as an active and aggressive technical hack. Every time the hacker tries something new, the natural reaction is for the organisation to heighten their barricades, to toughen the firewall and become ever more defensive.
By contrast the Sun’s is a social hack. In fact the Sun is the guy that sidles up to you in a bar and starts a conversation. It’s innocuous at first, but eventually you join in. He is in the same game as you and knows some similar people. He buys you a drink and you reciprocate for the next round. You share details of your families and work projects and by the end of the evening you swap cards and contact details. Your corporate raincoat has been removed and now the corporate hacker has all the information required to get his or her foot in the door.
Statistics vary but estimates indicate that between 30 and 50 % of all hacks are of a social not a technical nature. Remember that the Sun can do more damage than the North Wind as the Sun can get you to remove your coat without raising your threat awareness. This is the reason why social engineering should be a tenet of all security awareness training.