The human OS: Overdue for a social engineering patch

The human OS: Overdue for a social engineering patch

Experts say training -- done well and frequently -- can make employees much more difficult to 'hack'

It sounds like the operating system that really needs some serious security patches is the human one.

While technology giants like Microsoft, Google and Apple regularly crank out updates, patches and fixes for zero-day vulnerabilities and other threats, the weakest link in the security chain -- the careless or clueless employee -- remains the weakest.

That is in large measure because there is no technology that can prevent someone falling for increasingly sophisticated social engineering attacks. As has been regularly reported during the past year, some of the biggest data breaches in history have been launched by attackers fooling an employee.

And that is despite years of exhortations by experts that worker security awareness training needs to be much more than a perfunctory lecture or PowerPoint presentation once every six months or so.

In a recent flash poll conducted by Dark Reading, more than half of 633 respondents said, "the most dangerous social engineering threat to their organizations was due to a lack of employee awareness."

The latest McAfee Phishing Quiz, which had drawn more than 30,000 participants in 49 countries as of early this month, found that 80% fell for at least one phishing email in the 10-question quiz. Among business users, the best score came from IT and R&D teams -- but their score was just 69% correct in detecting which emails were legitimate and which were phishing.

In short, human hacking continues to be far too easy. Chris Hadnagy, chief human hacker at Social-Engineer, said during a Dark Reading radio interview that, "as you can see from the news, it's (social media attacks) working way too well."

According to Hadnagy there are three major causes for that -- the first two relating to human weaknesses and the third to much-improved attacks.

First, people are programmed to want to help others. "Inherently we want to trust people," he said.

Second, most users are uneducated about security threats. "Companies are not doing a great job at security awareness education that matters to or affects the employee," he said. "Put those two together -- the psychology and the lack of education -- and you have breeding ground for social engineering."

And that makes them even more vulnerable to attackers who have upped their game. "It starts with OSINT (open-source intelligence) or online information gathering," Hadnagy said. "That's the lifeblood of social engineering. Once the information is gathered, it becomes apparent what attack vector will work best."

Theresa Payton, former White House CIO and current CEO of Fortalice Solutions, agrees that OSINT gives attackers far better tools to fool their targets.

"They figure out who the executive team is, the law firm, the names of the corporate servers, current projects, vendor relationships and more," she said. "They use the reconnaissance, which can often be done in less than a day, to create sophisticated social engineering attempts."

Attackers have also almost eliminated one of their most obvious weaknesses. Gone are the days of lousy spelling and grammar that made phishing emails relatively obvious.

"They're using spellcheck, and they hire organizations to proofread their emails," he said. "That was huge indicator in the past."

Finally, there is the rise of "vishing," in which an attacker makes a phone call, posing as someone from another department, to urge an employee to click on a link in an email without checking it thoroughly.

"This means sending the poisoned email to a secretary, and then calling her on the phone to 'confirm she received the email,' under pretense of having to communicate something important to the organization," said Mark Gazit, CEO of ThetaRay, "The adversary will typically stay on the line to make sure the employee launches the attachment."

Gazit said vishing attacks also include sending employees an SMS with a link to a phishing site or a spam message claiming that one of their payment cards has been blocked. "In the process of hastily responding to such a message, the victims end up divulging their banking credentials and PII to the attacker," he said.

The only effective "patch" for this rampant vulnerability, experts say, is better training. And that means changing the prevailing model that they say seems aimed more at "check-the-box" compliance than embedding continuous security awareness in employees.

"Training should not be an "event," Payton said. "We need to move from training to positive reinforcement. Candidly, most of the training we see falls into the 'they snooze, you lose' category of computer-based training."

She recommends creating a "feedback loop" for employees to, "tell us why our security protocols get in the way of doing your job; an emotional trigger, to let us show you how following our advice protects you at work and at home; and offering something more then a compliance exercise."

Hadnagy said effective training has to include "real-world" examples. "We do impersonations during business hours to gain access to the building," he said. "The goal is not to make people look stupid, but to show weak spots and what you need to do to strengthen them."

Gazit also said, "one-time, boot camp-style training for large groups," doesn't work. "These one-off blasts overload employees with information that they don't really relate to, so they tend to forget it as soon as they are back at their desks," he said.

And he agreed with fellow experts that employees need to feel that the training is relevant. "Executives, accountants, administrators and plant workers are not all subject to the same cyber threats, so training must help each group learn how to recognize and handle the specific threats they are most likely to encounter," he said.

Of course, just as is the case with technology, nothing will make an organization bulletproof. But Hadnagy said good training can dramatically lower the risk. He spoke of one company that hired his team two years ago to test their awareness, and 80% of employees clicked on phishing emails, 90% fell victim to vishing and 90% were duped by one of his team members impersonating a person at the help desk.

"We went to town educating them, and then in a later test, which we made more difficult, they shut us down," he said. "We got nowhere."

That, he said, shows how effective good training can be. "Statements like, 'There is no patch for human stupidity' are damaging to the belief we can fix this," he said. "It's not about humans being stupid, but about humans being unaware and uneducated, and having no direction on what to do when attacks occur."

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags mcafeeGoogleMicrosoftsecuritysocial engineering awarenesssocial engineering attackssocial engineeringhackingAppleintrusion



Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Show Comments