This week I attended the Gartner Symposium in Barcelona. The event is for IT leaders and executives, held in a magnificent venue and superbly organized.
Having the chance of giving a talk there, I wondered what kind of message should I give to such attendees. These people lead big companies and get regular reports from the best analyst in the world. During the conference basically they will get tons of information, and I wanted my message to remain in their minds, so I decided to go for a practical approach.
When talking about the next and most dangerous threats for big companies in the near future, I did not want to enter into technical details that would make my public go away or go to sleep in the first five minutes, so I decided to center my presentation on targeted attacks and consumerization. Basically, we are facing a new paradigm where I think we are not considering seriously the human factor as, probably, the weakest link in the security chain.
The message was clear and useful. The next think I needed to do was to prepare something "shocking" so my attendees will remember my presentation and hopefully, apply some measures in order to secure their organizations against the described threats. I wanted they to know how "hard" it was to create a targeted attack, so I chose some popular tools for gathering information such as The Harvester and for preparing social engineering attacks such as SET.
Basically, using these tools you can create a replica in your own system of some of the most popular sites such as Gmail or Facebook for stealing credentials in less than 1 minute, as well as send mass mailing phishing messages to the targets gathered in the information gathering step. The message here is clear: never to promote the use of these tools for badness, but we should face reality. These tools are freely available and it depends on the user of making a good or bad use of them, they are not malicious by themselves. Still, in case someone chooses the bad way, it is very easy for an attacker with zero technical knowledge to create a targeted attack.
I strongly recommend spending a few minutes learning how to protect against this attacks in our LabMatters video on the topic.
Updated: Even very sophisticated attacks such as Duqu are initiated by social engineering. Check the excellent post of my colleague Aleks.