The greatest concern for the 580 information security professionals that responded to the 2017 Black Hat USA survey was the threat around phishing and social engineering (50%, up from 46% in 2016).
Coupled with the fact that the same respondents felt the weakest link in defences was end users being easily fooled by social engineering attacks (38%, up from 28%) this should come as little surprise to security professionals. But these figures may help them to gain that C-suite-level buy-in when trying to develop an efficient and, more importantly, relevant security education and awareness package for their organisation’s personnel.
Social Engineering became a familiar information security term to me when I was reading The Art of Deception by Kevin Mitnick. However, Social Engineering had been exploiting weaknesses in human nature for many years prior.
In fact, the phrase ‘Trojan’, which many security professionals identify as a nefarious way to disguise malware as legitimate software, was in fact coined after one of the most famous social engineering attacks ever carried out: when the Greeks duped the Trojan people to enter the city of Troy.
People generally want to trust people
A large wooden horse was offered as a gift that the unsuspecting inhabitants too quickly accepted at face value, which as we know was to be there undoing. Yet for all our familiarity over millennia with this type of attack, society is still so often helpless to combat it – why?
Well the short answer is that people generally want to trust people. When provided with a little background or familiar information, or seeing the well-known logo of that large brand you have confidence in, all too readily let their guard down and relax.
It’s at this point that you are more than likely to acquiesce to requests for personal or sensitive information, or to click on a link or change your password on that well-constructed, official-looking email or web page.
Meanwhile, the social engineer themselves can mount attacks that are low cost, low tech easy to implement via mass mailing lists or as we are now seeing (evidenced by Symantec research), a more targeted, spear phishing style attack.
The insider threat I see as incredibly relevant to social engineering. Should a disgruntled employee wish to conduct an internal engineering attack against the enterprise, then there is already an established level of trust with numerous familiar colleagues or employees in the wider organisation who see a company email address and are therefore more likely to click on the link that John from HR has sent to them.
Alternatively, a member of staff is conned by an external source that has carried out a discovery exercise in order to conduct an attack against that specific employee or a more generic attack against any employee.
So what is the remedy? How to do we even attempt to change the mindset of employees? How do we begin to change our trusting human nature?
I recall on a counter intelligence course being told by the instructor to “trust nothing, question everything” and that has stuck with me over the few short years I have been employed in the information security field.
I’m sure most security professionals are of the same mindset (although I’m also in no doubt that some would also be forgetful enough to click on the innocent looking link at times).
But what about the average employee? The average everyday person?
A couple of years ago a member of my extended family, of an older generation less exposed to technology, received a popup on their home computer telling them that their PC had been infected by malware. They were instructed to call a ‘Microsoft’ number, which they dutifully did and allowed some thoroughly pleasant, yet unknown chap to remote into their desktop.
Make it about the staff member and how it will impact their lifestyle and you can bet your mortgage they will probably sit up and take notice
A thorough discussion on the risk of allowing someone to access your computer followed and they ensured that this would never happen again, now they had been forewarned.
Fast forward 18 months and they received a call from the nation’s leading ISP (with whom they have no custom). The ISP required access to account details for their current ISP as ‘your computer has been infected by a virus’ again. They duly provide said details as well as bank details so they could look into their account.
A further strong word was quickly had and all account details were very quickly changed (followed by much tutting and shaking of the head). This story reconciles with another finding of Black Hat USA’s survey in that the most significant threat to consumers is that there is a lack of security awareness about fishing and other social engineering attacks (56%).
Any security education and awareness package should be geared for relevance to the individual. It’s all very well and good showing the impact to the company itself, but if you can also make it about the staff member and how it will impact their lifestyle, you can bet your mortgage they will probably sit up and take notice.
Refresh and revise these packages constantly, including stories from the media that drive home the personal impact on the everyday person.
I believe that making training about your staff and arming them with knowledge on how to avoid being targeted by social engineering both personally and while employed on company business can only promote a positive culture among staff. It should also empower them to be more mindful when opening that email, or fielding that unsolicited phone call.
Also, these training packages should be conducted frequently but not at great length. This ‘remind and revise’ approach will hopefully keep the topic in their mind – look at my relative’s forgetfulness as evidence that once a year or fewer is insufficient to achieve this.
I have stated in a previous article that nothing more soul-destroying for the presenter or attendee than an hour or two sat in a room with someone droning on, repeating the same content time after time.
Now is the time for companies to bear the aforementioned statistics in mind and be more proactive in combating the social engineering problem. Seize the opportunity to empower your staff with the knowledge on how to trust nothing, question everything.
