What are the best ways to help people spot, resist and report attacks?
Technology can do lots of things better than humans can – playing chess, working a factory floor and soon (supposedly), driving our cars and trucks. But technology, at least so far, can’t trump the human when it comes to protection against cyber-attacks.
Bad guys know it – they know that if they can trick, seduce, or scare a human into clicking on a malicious link or giving up personal or corporate credentials, it’s game over – in their favour.
This is why social engineering is rampant – the damage is always painful and sometimes catastrophic.
The most common type of social engineering attack is phishing – an email purportedly from a trusted source, designed to manipulate the recipient into revealing sensitive information, clicking a malicious link, or opening a malicious file.
Three high-profile ransomware attacks against three cities in Florida this past summer were all enabled by an employee responding to a phishing email.
The 2019 Verizon Data Breach Incident Report found that phishing was the top cause of data breaches, at 32%, and was a factor in 50% of security incidents last year.
Security firm FireEye, in its Q1’19 Email Threat Report, found that phishing attacks rose 17% in the first quarter of this year.
That, of course, is because it works. As Christopher Hadnagy, founder, CEO, and chief human hacker at Social-Engineer, put it: “Phishing is the easiest because it has the lowest cost and the potential is huge.”
An ominous trend Verizon noted is that phishing attacks are increasingly aimed at C-level executives. These targets tend to be busy and under too much pressure to be wary of any single email within the ongoing flood they receive. They also have approval authority and virtually limitless access privileges.
This raises the obvious question: What are the best ways to help people spot, resist, and report cyber-attacks?
Many well-crafted security awareness programs have been in place for decades. Every major security conference in existence features multiple presentations on how to prevent social engineering attacks.
The reality is that it’s hard. So hard that Travis Biehn, technical strategist at Synopsys, contends that social engineering awareness training has “negligible effects.”
“The only thing that seems to make a difference is constant training – and even then, attackers eventually find a weak link,” he said.
Biehn even thinks those programs can yield perverse results. “Social engineering awareness is a form of victim blaming. People aren’t built to resist subterfuge, and they can’t execute your checklist when they’re fatigued, overworked, or hungover,” he said.
Tools and tech must overcome psychology
Not everybody has that bleak a view. Mario Mercaldi, associate principal consultant at Synopsys, thinks awareness training is important and can be effective. But he agrees with Biehn that it’s much more difficult and nuanced than simply telling people that “if something doesn’t seem right, it probably isn’t.”
“It’s more complicated than that, and your ‘BS detector’ cannot replace policies and procedures – at home and work,” he said. “Add in the fact that people in general are not very good at discerning voices over a phone or otherwise, and with the new ‘deepfake’ era, it’s getting even more difficult to spot potential issues. This is why the bulk of awareness training must focus on process versus the effort of trying to spot a fake.”
Indeed, the reason social engineering is so successful is that it takes advantage of how humans are wired. Video gaming scams work, Mercaldi said, because they are “designed to make it intuitive to easily spend hundreds or thousands of dollars on digital items with little intervention to detract from the microtransaction process.”
The same psychology applies to “one-click” products. “They have the same built-in feature of making it too easy to order something you don’t necessarily need because of convenience,” he said.
How to prevent social engineering attacks
Ultimately, experts say, it takes a combination of training and technology for organisations to avoid being the proverbial “low-hanging fruit” and prevent all types of social engineering attacks.
Thomas Richards, principal consultant at Synopsys, said the most effective training technique he has seen is for companies to “conduct continual and frequent social engineering tests of their employees. After speaking with several executives, many were able to take a click rate in the 20% range and reduce it to single digits,” he said.
Hadnagy, who presents multiple courses in social engineering throughout the year, focuses on teaching students all the techniques that attackers use. The idea is that if you know how to do it, then you are much more likely to know when somebody is trying to do it to you.
But he also agrees that “being truly secure is a blend of the right technology and the best education.”
Chris Clark, business development manager at Synopsys, said some examples of technology help include “security capabilities capable of catching these attacks – smart email filters, regional blocking, reactive firewalls paired with content filtering. Attackers are always scooting around, so make sure you have a good mousetrap.”
Don’t forget about process
Mercaldi said “process” can help prevent social engineering attacks as well. He cited the case of a phone call from a supposed CEO to a junior executive, directing him to wire US$250,000 to an account. But the scam didn’t work because the organisation’s policies “required a sign-off policy from multiple people ‘in person’ and if there was a need to fast-track funds, it should have been discussed before, within an active window,” he said.
Still, however, it comes down to the human in the end. “Innovations that require intervention can also be bypassed by an attacker if they can convince the victim to do so,” Mercaldi said. “I don’t think there’s a technical guard that can’t be exploited by social engineering.”
Taylor Armerding is security advocate at enterprise tech firm Synopsys Software Integrity Group