The human OS: Overdue for a social engineering patch

The human OS: Overdue for a social engineering patch

Experts say training -- done well and frequently -- can make employees much more difficult to 'hack'

It sounds like the operating system that really needs some serious security patches is the human one.

While technology giants like Microsoft, Google and Apple regularly crank out updates, patches and fixes for zero-day vulnerabilities and other threats, the weakest link in the security chain -- the careless or clueless employee -- remains the weakest.

That is in large measure because there is no technology that can prevent someone falling for increasingly sophisticated social engineering attacks. As has been regularly reported during the past year, some of the biggest data breaches in history have been launched by attackers fooling an employee.

And that is despite years of exhortations by experts that worker security awareness training needs to be much more than a perfunctory lecture or PowerPoint presentation once every six months or so.

In a recent flash poll conducted by Dark Reading, more than half of 633 respondents said, "the most dangerous social engineering threat to their organizations was due to a lack of employee awareness."

The latest McAfee Phishing Quiz, which had drawn more than 30,000 participants in 49 countries as of early this month, found that 80% fell for at least one phishing email in the 10-question quiz. Among business users, the best score came from IT and R&D teams -- but their score was just 69% correct in detecting which emails were legitimate and which were phishing.

In short, human hacking continues to be far too easy. Chris Hadnagy, chief human hacker at Social-Engineer, said during a Dark Reading radio interview that, "as you can see from the news, it's (social media attacks) working way too well."

According to Hadnagy there are three major causes for that -- the first two relating to human weaknesses and the third to much-improved attacks.

First, people are programmed to want to help others. "Inherently we want to trust people," he said.

Second, most users are uneducated about security threats. "Companies are not doing a great job at security awareness education that matters to or affects the employee," he said. "Put those two together -- the psychology and the lack of education -- and you have breeding ground for social engineering."

And that makes them even more vulnerable to attackers who have upped their game. "It starts with OSINT (open-source intelligence) or online information gathering," Hadnagy said. "That's the lifeblood of social engineering. Once the information is gathered, it becomes apparent what attack vector will work best."

Theresa Payton, former White House CIO and current CEO of Fortalice Solutions, agrees that OSINT gives attackers far better tools to fool their targets.

"They figure out who the executive team is, the law firm, the names of the corporate servers, current projects, vendor relationships and more," she said. "They use the reconnaissance, which can often be done in less than a day, to create sophisticated social engineering attempts."

Attackers have also almost eliminated one of their most obvious weaknesses. Gone are the days of lousy spelling and grammar that made phishing emails relatively obvious.

"They're using spellcheck, and they hire organizations to proofread their emails," he said. "That was huge indicator in the past."

Finally, there is the rise of "vishing," in which an attacker makes a phone call, posing as someone from another department, to urge an employee to click on a link in an email without checking it thoroughly.

"This means sending the poisoned email to a secretary, and then calling her on the phone to 'confirm she received the email,' under pretense of having to communicate something important to the organization," said Mark Gazit, CEO of ThetaRay, "The adversary will typically stay on the line to make sure the employee launches the attachment."

Gazit said vishing attacks also include sending employees an SMS with a link to a phishing site or a spam message claiming that one of their payment cards has been blocked. "In the process of hastily responding to such a message, the victims end up divulging their banking credentials and PII to the attacker," he said.

The only effective "patch" for this rampant vulnerability, experts say, is better training. And that means changing the prevailing model that they say seems aimed more at "check-the-box" compliance than embedding continuous security awareness in employees.

"Training should not be an "event," Payton said. "We need to move from training to positive reinforcement. Candidly, most of the training we see falls into the 'they snooze, you lose' category of computer-based training."

She recommends creating a "feedback loop" for employees to, "tell us why our security protocols get in the way of doing your job; an emotional trigger, to let us show you how following our advice protects you at work and at home; and offering something more then a compliance exercise."

Hadnagy said effective training has to include "real-world" examples. "We do impersonations during business hours to gain access to the building," he said. "The goal is not to make people look stupid, but to show weak spots and what you need to do to strengthen them."

Gazit also said, "one-time, boot camp-style training for large groups," doesn't work. "These one-off blasts overload employees with information that they don't really relate to, so they tend to forget it as soon as they are back at their desks," he said.

And he agreed with fellow experts that employees need to feel that the training is relevant. "Executives, accountants, administrators and plant workers are not all subject to the same cyber threats, so training must help each group learn how to recognize and handle the specific threats they are most likely to encounter," he said.

Of course, just as is the case with technology, nothing will make an organization bulletproof. But Hadnagy said good training can dramatically lower the risk. He spoke of one company that hired his team two years ago to test their awareness, and 80% of employees clicked on phishing emails, 90% fell victim to vishing and 90% were duped by one of his team members impersonating a person at the help desk.

"We went to town educating them, and then in a later test, which we made more difficult, they shut us down," he said. "We got nowhere."

That, he said, shows how effective good training can be. "Statements like, 'There is no patch for human stupidity' are damaging to the belief we can fix this," he said. "It's not about humans being stupid, but about humans being unaware and uneducated, and having no direction on what to do when attacks occur."

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags mcafeeGoogleMicrosoftsecuritysocial engineering awarenesssocial engineering attackssocial engineeringhackingAppleintrusion


Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments