Your Hardest Infosec Problem: Getting People to Give a $@%&
So, this post is totally inspired by a Tweet I saw from Zach Lanier (aka @quine). He came! He scanned! He found vulns! He dutifully sent them off to the various IT folks who manage systems and applications! And….(crickets chirping). Nothing. No one cared.
So, this post is meant to give you infosec folks some shiny new ways to get those beloved admins and dev teams to actually RESPOND TO YOUR EMAILS AND PHONE CALLS! Here we go:
- As if by magic, several cases of Mountain Dew appear in said admin’s cubicle. You could even add a little sticky note – “Call me. I’ve missed you!”
- Hack your admin’s boss’ computer and change the screensaver to the BSOD! This will create some good humor in the department, and you can conveniently drop by in the throes of this madness and bring up your list of issues!
- Somehow tie the remediation of those vulns to a free T-shirt. God knows that highly-paid IT professionals will actually engage in physical violence to get a free T-shirt.
- Send a meeting invite with the subject “Donuts” or “Pizza”. Works every time.
- Pull the classic “ARP Cache Poison your Coworker” trick! Mwahahaha – no more “ThinkGeek” or “Slashdot” for you! Redirect their HTTP requests for geek Web sites to the Barry Manilow Fan Club site. This will get frustrating. Then, when their entire day is ruined, swing by to hear their tale of woe. Mention how you can “look into the problem” with the network folks. Once things are working again, cash in your “grateful points” to discuss the vuln list you sent.
- Make a contest out of fixing vulns, or maybe just replying with a reasonable response…? Sure way to get attention? The prize is any-*#$%-thing with XKCD content.
These are just ideas to get you started. Granted, most are silly, or even (gasp!) highly unethical, but hey! Gotta think outside the box here.