Vulnerability Management

B-Sides SF: Sexism can be a security vulnerability

Security researcher and white hat hacker Raven Alder, the first woman to deliver a technical presentation at the famed DefCon hacker conference a decade ago, was talking about how sexuality in InfoSec in her talk "Trinity Crowbar: explanations of presumptions of gender," where she mused on the benefits and disadvantages of being a woman in a largely male-dominated industry.

She admitted that most of the pen testers and vulnerability testers she work with "are dudes" and said that her appearance  - dark brown hair with heavy eyeliner - may carry credibility in hacker communities, but attracts suspicion, surprise and doubt with corporate entities.

“Expectations change on appearance," she said. "I look like someone who is scary. My appearance- funny hair color and eyeliner- carries credibility in hacker circles, but not in traditional business circles.”

But while she noted that she is often subject to “unconscious sexism” and date requests – “even after I've broke into their network” -  she stressed that gender can also be as an advantage, mainly because most people have their own idea of what a security threat looks like.

“People don't assume you're dropping off a USB [stick], seeded with malware, at a car parking lot even when you are,” she told conference attendees.

As a result, Alder notes that sexism need not necessarily always be a hindrance, and added that it can be used, from the attacker's perspective, as a tool for carrying out social engineering attacks, or even gaining trust with other women as part of some sort of “solidarity pitch.”

And in addition, she said that gender also acts as a huge distraction when carrying out an attack, with IT teams too preoccupied with the details of the sole attackers to notice the others sneaking in the back door.

“You can act like the dumbest pen tester, create noise and get attention, while other team members slip under the radar.”

Furthermore, Raven said that the sensitivity around gender – especially with physical security checks at the airport – can also be exploited, and noted one example where she was able to sneak into the server room to audit by telling security staff that she was “going to the toilet.”

“People are sensitive on physical security. Sexism can be a security vulnerability…if audited poorly,” she added.

Alder's views come shortly after the (ISC)2 found late last year that just 7 percent of security professionals in Europe are women, with this figure rising slightly to 11 percent worldwide. “The profession as a whole has been slow in tapping into the pool of talent represented by women,” the firm's report said at the time.

The group launched the Women in Security mentoring scheme last July.


This article was originally published on SCMagazineUK.com.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.