Social Engineering and Cybercrime – ACE In The Hole
The data is indisputable. Of all the cyber-attacks reported over the past decade, those that started with social engineering dwarf all the other types of attacks by unheard-of percentages.
The data is indisputable. Of all the cyber-attacks reported over the past decade, those that started with social engineering dwarf all the other types of attacks by unheard-of percentages. The way we address it; ACE In The Hole – Awareness, Communications, Education.
Kevin Mitnick, once known as “The World’s Most Wanted Hacker” and now the CHO of the KnowBe4 cybersecurity specialist group, states that only about 3% of malware attacks attempt to exploit a specific technical flaw in systems. The other 97% targets users through clever, specialized Social Engineering attacks. Check out Kevin’s opinion video on a range of topics including social engineering and penetration testing.
A study published by PhishMe, Inc. in 2017 states that social engineering scams stole over $5 billion dollars worldwide between 2013 and 2016. One of the primary social engineering methods noted in the study was phishing, including spear-phishing and whaling campaigns. The fact that the quality and anti-virus/anti-malware software has much improved, as well as network administrator’s implementation and understanding of security hardware and software, social engineering attacks such as these in-depth phishing attacks are an ever-growing concern.
The major problem; Human Beings.
You see, we are social beings. Way back in our history we realized that traveling with and belonging to groups, tribes, and villages pretty much guaranteed a greater possibility of survival than trying to make it alone. The philosophical aphorism “No man is an island.” has proven to be true throughout history.
Now I am no geneticist, however, I would suggest that deep down in our DNA is a sliver of a gene that directs us to seek out the company of others for companionship, warmth, conversation, and yes, survival. This gene directs us at some atomic level to trust other human beings. It is this trust that is exploited by the thieves, thugs, and malcontents (my favorite euphemism for nefarious hackers) who would try to break into our systems and steal valuable information.
Let’s look at it from the cybercriminals point of view; you can either attempt to write the most awesome, complex, greatest password-cracker program in the history of password-cracker programs, or you could develop a confidence game directed at an employee who might be having a bad day, or at a group of employees who have not had proper cyber-security awareness training in order to steal credentials.
The greatest password-cracker program in the history of password-cracker programs could take days or weeks to write and would then require that you somehow gain access to a host machine on a network, which, by the way, you’d need credentials to do. Then you would need some considerable computing horsepower and lots of time to actually crack the passwords… and, you need the system you’re trying to break into to allow an unlimited number of sign-on attempts. Lots of dependencies there, especially when you can call up a help desk employee, pretend to be a salesperson who values their opinion, and talks that employee out of all types of valuable information about the network, hardware, software, configurations… you get the picture. Check out this example of how simple it is to get passwords from unsuspecting individuals who are trapped by the old “fifteen minutes of fame” approach when late-night host Jimmy Kimmel sent a team out and captured this video.
With the ever-increasing use of personal devices such as mobile phones, tablets and personal laptops on the job; the attack surface of our networks is expanding far beyond the ability of network administrators alone to secure sufficiently. We call this de-perimeterisation. In order to provide an acceptable level of security, we must extend the security responsibilities to the end-user. The best and most effective means to accomplish this is through consistent, targeted, security awareness training.
End users are the lifeblood of all businesses. They are the cogs that make the entire machine run. Without the users, there would be no economy, no service, no products. In our ever-evolving workplace, when so much of the workforce is mobile and dependent upon largely unsecured communications links, it is incumbent upon us all to accept responsibility for our own security both in our personal and business lives. It is also, however, the responsibility of the entire business community to constantly enforce best-practice, cyber-security thought, and action throughout each and every enterprise.
Cyber-security awareness training is an ongoing, dynamic, cyclical process. The thieves, thugs, and malcontents never stop trying to invent new ways to steal our stuff… we should never stop trying to make sure that we at least keep up with them. If you happen to be a security administrator, analyst, or another type of security practitioner, be sure to encourage your organization to keep security, and especially the concerns of cyber-security at the forefront of your education program. There is a triad of terms that we use that applies to any organization’s training program. It most certainly applies when referencing security and cyber-security training. The ACE in the hole… Awareness, Communications, Education. It is as mentioned before… ongoing, dynamic, and cyclical.