The Human Factor: Security Control and Behaviour
The human factor: Security Control and Behaviour
In today’s world, security is a greater concern than ever before. With the advent of social engineering by malicious actors, it can be difficult to know what information a person has shared with others and how it may affect them.
The human element plays a crucial role when it comes to securing computer networks, as we are all vulnerable due to our dependence on technology. People are often the weakest link in an organization’s defenses. That’s why it’s so important that employees know how to spot suspicious people and behaviors that could lead to a cyberattack or other intrusion.
In order for someone to effectively protect themselves from social engineering, they need first-hand knowledge about what types of information are needed in order for an attacker to create a believable scenario that increases their chance for success.
Summary of use cases
The article “Social Engineering: The Art of Deception” by Ir. M.B. Paques CISSP CISA, provided a clever and insightful real life use case of social engineering attacks. It also explained what methods or techniques and tools were used in the attack, as well as the countermeasures to mitigate the attacks that were just carried out. The two case studies that caught my attention were case number 1 and 3.
In the first case study, two people carried out the attack. One of them distributed a document posing as a survey link for the company’s Christmas party while the other lay in wait. Prior to their actual operation, the cybercriminals had already conducted a thorough research on their potential targets.
This allowed them to target their victims, in this case young employees. Victims were tricked into taking the survey for the chance to win in a raffle draw. The victims who clicked and visited the fake survey link unknowingly gave their user credentials to the attackers.
In the third case study, the attacker performed a classic social engineering technique called tailgating, in which an attacker follows directly behind the employee to get into a restricted facility that requires key cards to enter. In this case, the attacker poses as an employee waiting outside in the smoking area to disguise himself.
The attacker then initiated a casual conversation with the employee and proceeded to follow right behind the unsuspecting employee as he entered the company’s building. The attacker continued to tailgate the employee and was able to pass several floors that were only accessible with key cards. The attacker immediately found a common office space where a reconnaissance of the company’s internal network was conducted.
As a result, the attacker was able to tap into several sensitive employee credentials via a spoofed intranet website and successfully compromised an administrator account to gain higher access privileges on the corporate network. All these actions were performed by the attacker in less than an hour.
Trends in Social Engineering
According to “The Human Factor 2018” report published by Proofpoint, an enterprise security company, cybercriminals have amplified their operation by exploiting the “human factor” aspect of security through social engineering techniques.
The report added that over the years, the number of threats focused on “human-centric” attacks outnumbered those relying on automated exploits. In particular, phishing attacks distributed via email campaigns remain the most common attack vector.
Among the key findings from the report is that the ratio of typosquatting, or suspicious-looking domains, outnumbers legitimate brand-registered domains by 20 to 1. Fake browser plugin updates accounted for 95% of social engineering in web-based attacks.
About 55% of customer support scams originating from social media were also found targeting financial services customers. In addition, clickbaits that redirect users to fake malware-laden websites accounted for about 35% of fraud spread through social media networks.
The report notes that in 2017, the top three phishing targets included cloud storage accounts, financial institutions, and email credentials.
A more recent report, courtesy of the Anti-Phishing Working Group (APWG), focused on phishing activity, recorded a total number of 151,014 phish detections in the third quarter of 2018. The industries most frequently targeted include payment systems, software as a service (SaaS), webmail, and file hosting companies.
Conclusion
While cybercriminals are becoming more sophisticated in their attack methods and obscuring threats with complexity, one thing remains in their strategy: exploiting the weakest link in the security chain — the human factor.
Organizations need to take a closer look at this “human factor” as a security aspect of their daily business operations. Implementing an effective cybersecurity education and awareness training program can go a long way toward protecting valuable business assets from malicious actors.
Reference
Bordessa, E. (2018). Report shows increase in social engineering. https://www.itgovernance.co.uk/blog/report-shows-increase-in-social-engineering
Social Engineering — Definition. (2017). https://usa.kaspersky.com/resource-center/definitions/social-engineering
Social engineering: the art of deception. https://www.compact.nl/en/articles/social-engineering-the-art-of-deception/
The human factor 2018 report. (2018). https://www.proofpoint.com/us/human-factor-2018
Phishing Attack Trends Report — 3Q 2018. (2018). Anti-Phishing Working Group (APWG). https://docs.apwg.org/reports/apwg_trends_report_q3_2018.pdf
What is social engineering? Tips to help avoid becoming a victim. https://us.norton.com/internetsecurity-emerging-threats-what-is-social-engineering.html
Hi! Mchael here…👋
Thank you for taking the time to read ’til the end! If you have any questions, inquiries, or suggestions, feel free to drop a comment down below or get in touch with me at hello@poncardas.com or visit my website www.poncardas.com
