If you’re like most organizations, you have invested heavily in protecting your organization from cyber threats. Gartner projects that the spending on cybersecurity will exceed 124 Billion dollars in 2019 alone. Gartner projects that the spending on cybersecurity will exceed 124 Billion dollars in 2019 alone. This market has attracted a constantly growing list of new technology offerings from cyber defense companies that leverage AI and machine learning that seek to identify and defend against modern security threats. The marketplace is flooded with these offerings to solve the increasingly complex and rapidly adapting capabilities of cybercriminals. But if we measure the success of the effort and money that industries have spent on securing data, would we consider them successful? Just the Facts…
- Per Gemalto’s Breach Level Index, roughly 74 records are compromised a second based on reported breached records since 2013
- According to RBS, over 5 billion records were reported compromised in 2018 alone.
- In 2018, 12 breaches exposed over 100 million records versus 13 in 2017
- According to a 2018 Verizon study, Social engineering attacks account for 93% of successful breaches
- According to RBS, in 2018 the threat vector that exposed the most records (over 2 billion) was human error by internal resources
Social EngineeringSocial engineering can be defined as the art of convincing or manipulating someone (hacking human psychology) to gain unauthorized access to buildings, systems or data. Defeating a cyber technology control like a firewall or even cracking a strong password can be extraordinarily difficult – but convincing an employee to share information like a password or to click on a link or visit a website is much easier.
How Social Engineering WorksThe reason why social engineering attacks are so successful is that human psychology wires us in ways that make us vulnerable. Three common psychological traits that help social engineers succeed are:
- Our desire to be helpful
- Our tendency to trust people we don’t know
- Our fear of getting into trouble
- Reciprocity – The requester gives or promises something of value in return. An example could be the Nigerian prince scheme, where the victim is promised a great sum of money for a small fee.
- Commitment and consistency – In this case, the target has publicly endorsed the requester in some way. For these attacks, the social engineer may reach out initially and gather public information from a victim and then call back and ask for progressively more sensitive data since the victim has already provided information in the past.
- Social proof – The requester convinces the target that complying with the request is the popular thing to do. In this type of attack, an email could be utilized to communicate that 8 out of 10 market leaders know this secret and you can too with a comprised attachment that you need to open.
- Authority – The requester establishes a position of authority over their target. This is a popular avenue of attack; an attacker will send an email as a boss or senior executive requesting information.
- Liking – The requester establishes rapport with their target. The attacker may call and illicit sympathy or empathy using pretext to convince the victim to provide confidential or privileged information.
- Scarcity – The requester is making a limited time offer or offering something in short supply. In this type of attack, there could be an email stating that there are a limited number of prizes that require that the victim click on a compromised web link that infects their system.
Common Social Engineering Attack VectorsThere are 4 primary vectors that Social engineers use to attack their victims:
- Phishing – This is the most popular vector of attack, with 98% of successful breaches coming through email. Phishing is the use of email to pretend to be a legitimate organization or person that attempts to fraudulently obtain private information.
- Vishing – Also known as voice phishing, is the criminal practice of using the telephone system to convince a victim to provide access to personal or financial information.
- Smishing – This vector utilizes SMS text messages to convince the victim to take an action that compromises their information or device. A common attack is an SMS message that claims to be from your bank but needs to confirm your credit card information to re-activate it.
- Impersonation – This vector involves the attacker pretending to be someone else with the goal of gaining physical access to a target location or system.
The Human Firewall, your first line of defenseConsidering the success of the social engineering vector and the fact that our human psychology is working against us, it may feel like defeating social engineering is an almost impossible task. Thankfully it is not. There are 3 key steps that an organization can take to defend against these attacks that have proven to be successful.
- Implement Security Awareness Training for EVERYONE in the organization and market it heavily. It is essential that every person in your organization realize that they are a key piece in defending your business and sensitive and privileged information. Comprehensive security awareness training:
- Is based on real threats they are likely to see
- Contains simulated attacks are implemented to test retention and adherence
- Has consistent testing and messaging that are provided on a regular basis that outlines additional types of attack your industry is seeing
- Test employees for retention to ensure that key learning objectives are effective
- Occurs on a regular basis to ensure it stays top of mind
- Implement a Security-aware culture. This requires that the highest levels of the organization push and enforce the need for individual security accountability. This can be done by:
- Adding measurable objectives to yearly performance reviews
- Ensuring policies that address security are in the employee handbook and that they are reviewed at regular intervals
- Implementing a reward system (gamification) for being security evangelists across the organization
- Implement a random Social Engineering Penetration Test at least once a year. It’s optimistic to believe that our employees will always act in a way that is consistent with our policies and processes, but it is important to verify in practice and can act as a litmus test for how effective, or ineffective, steps 1 and 2 have been on your company culture.