What is the weakest link in your client’s network? It’s not unpatched software (although you should patch) or the unimaginative passwords (although you should change it). The weakest links are humans themselves. It’s Joan in accounting or Stan in human resources.
Being human is a vulnerability and that’s what the bad guys are counting on. Trying to get Joan or Stan to inadvertently open the network is cheaper and easier than trying to breach solid cyber-defenses. This philosophy makes up the backbone of social engineering.
Christopher Hadnagy, author of Social Engineering: The Science of Human Hacking, relayed his social engineering thoughts to Rob Sloan at Security Roundtable.
“I send 3 million phishing emails a year. I actively research and write about it every day and I still clicked on a phish. I refuse to believe it’s because I’m a stupid human. It’s because that phish happened to be the right emotional trigger at the exact right time. I took an action I would never take on a normal basis,” as Hadnagy described to Securityroundtable.org.
Hackers know that Joan in accounting would never ignore an invoice from “West Systems,” one of her company’s biggest accounts. The hackers play into that and eventually, Joan is duped. Stan in human resources would never ignore the resume from the headhunter’s office, so the hacker exploits that vulnerability.
The fastest growing threat
Hussain Aldawood is a cybersecurity expert and lecturer at the University of Newcastle in Australia and a leading authority on social engineering. Aldawood has devoted his career, including his doctoral thesis, to studying the phenomena of social engineering and how to best combat it.
Social engineering has emboldened criminals. Some of the fastest-growing corporate crime threats have steered away from exploiting systems or vulnerabilities on information security, and instead have focused on humans, a target considered to be the weakest link in every business, Aldawood shares.
“Hackers are more inclined to use human vulnerabilities in an attempt to gain access to organizational systems, rather than focusing on the lapses in a system’s hardware or software,” details Aldawood. Research backs up his claim.
As Aldawood displays the statistics, “Three percent of the attacks happen to target the technical infrastructures of organizations. On the other hand, 97 percent of malware attacks targeted users through social engineering hacking attempts.”
Technical fixes in networks are the easy part. There’s always a way to re-patch, re-code, or reinstall. “Fixing” a human is harder.
“The nature of social engineering attacks is complicated, since attackers exploit human vulnerabilities, which cannot easily be secured,” admits Aldawood.
MSPs tasked with guarding a network against intrusions are then put into a difficult situation. Most MSP tools are aimed at keeping outsiders at bay, when the biggest threat is actually internal. The biggest breach Aldawood has seen in his career brought one of the world’s biggest companies to its knees.
Aldawood was working at Saudi oil giant ARAMCO in August 2012 when it was hit with a virus in August 2012, which was designed to shut down oil and gas distribution. The Shamoon-1 virus was behind the attack and destroyed or partially wiped thousands of computers. For a time, ARAMCO was forced back into the pre-computer era of paper invoices and contracts.
“The company confirmed that one of the main causes of this particular incident was the lack of information security awareness,” recalls Aldawood.
An investigation years later determined that, “One of the computer technicians on Saudi Aramco’s information technology team opened a scam email and clicked on a bad link. From that point, the hackers were in.”
If an elite technician at one of the world’s biggest companies can be successfully spear phished, then anyone is vulnerable.
What can MSPs do?
Aldawood offers advice for MSPs looking to contain the human vulnerabilities in their systems. Hackers are adept at luring their victims into breaking the security protocols, which allows them to confiscate information that can be harvested for a more severe attack. MSPs need to train workers to be on guard.
‘“In an attempt to tame and reduce social engineering fraud, enterprises and institutions are advised to establish comprehensive protocols and clear policies,” notes Aldawood.
Employee training is vital and MSPs should offer this service as part of their security packages.
“Increasing the level of information security awareness and implementing training programs for employees and members of organizations so that they know how to safeguard their own information and systems is crucial,” stresses Aldawood.
To better combat social engineering-based attacks from hackers, MSPs can help organizations by designing or providing contemporary awareness programs. These programs can be the most effective way to raise employee awareness to prevent cyber-crimes.
Vulnerability is part of being human, as hackers and their victims know all too well. The good news for MSPs is that you don’t need to invest a ton of money in fancy equipment to combat this danger. Training and awareness are the strongest and most effective defenses that MSPs can offer.
Photo: Alex Kotliarskyi / Shutterstock