In the hacking world, a password is only as strong as the person who knows it. Some of the most common tricks for hackers are social engineering or phishing—attacks gaining access to users’ accounts and company documents without even touching a line of code.
Detecting the weakest security link on a staff usually requires hiring a team of security experts. A New Zealand-based software company, SafeStack, is now testing an application called Ava to do that job virtually. Ava is a program to test humans.
Ava works in three phases. It will first learn how the organization works: who has certain permissions, which people communicate often, and how trusting certain relationships are. From there, Ava will send targeted messages on social media and email in an attempt to gain passwords or documents. That could be an email from a supervisor asking for permission to a certain document, or a password to a company social media account. Employees don’t know which messages are from Ava and which are legitimate—just like in the real world. After the tests, that data is analyzed and quantified.
Ava uses Twitter, Facebook and LinkedIn to test security; this raises concerns about privacy and boundaries at work. An ethics panel has been created to talk about the ramifications of employers tricking their employees, reports MIT Technology Review, but Ava has already been tested in some small companies in New Zealand.
SafeStack CEO Laura Bell, who presented Ava at a cyber security convention last week, said that repeated slip-ups and security breaches due to human error show that education alone isn’t effective.
“If I’m the attacker, I’m going after the people,” Bell told MIT Technology Review. “People are the path of least resistance, and we have to do something about it.”