Cybersecurity and Safety Myth: Degrees of Separation

There are some cybersecurity (and other) groups that believe if they achieve a certain number of degrees of separations from an adversary they can claim to be safe from adversaries. This is a myth. To demonstrate one way this myth can be shattered let’s consider the following scenario. An adversary is 10 degrees separated from an employee. The adversary utilizes an asset to seduce a 8 degree separated entity. The 8 degree separated entity brings the asset to an industry conference and makes introductions with entities that 7, 6, and 4 degree away respectively. The asset pivots and seduces degree number 6 whom then, in turn, introduces the asset to a degree 3 entity. The degree 3 entity ‘helps’ the asset get an ‘entry level’ position where the asset creates contacts with degree 2 entities. A degree 2 entity makes introductions and the asset becomes a direct contact with your organization. The adversaries asset has direct contact and infiltration capabilities into your organization.
Operational security has no friends or lovers. There is no degree of separation that can guarantee operational safety, cybersecurity, or secrecy. People need to be trained to understand how minor details can lead to major breaches.
~all for now