The human asset in cybersecurity
Social engineering, that is, the manipulation of human assets for nefarious purpose, is a complex and difficult subject. It is, in effect, “human hacking.” The human asset is often the first compromised in a cyber-attack. A threat actor, after doing reconnaissance on their target, uses the information gained to obtain credentials or other information that will allow access to protected systems and resources. Often the attacker gets lucky, and with little effort, and even less risk can obtain user credentials simply by what amounts to guessing, albeit in an automated fashion. The subject is difficult to discuss; many users are “confident” in their abilities to protect their credentials so do not practice proper cyberhygiene. This has led to several high-profile breaches (see further reading, below).
Manipulation, social mining
Social engineering is defined as the manipulation of the human asset mainly though human intelligence (humint) and open source intelligence (osint). These are the same techniques, among others, that are used by intelligence agencies to gather intelligence from foreign adversaries. Roughly 80% of all cyber-attacks start with a social engineering (SE) attack. These initial attacks take many forms, the most common being phishing emails that are very sophisticated and effective. Without venturing too far, these attacks work and produce real results; those with poor cyberhygiene are easily compromised, sometimes repeatedly.
Another fertile area is social media; aside from the inherent ability of social media to influence opinion and behavior, it has been shown that user data can be mined and used to build profiles that provide attackers with a wealth of humint and osint that can be used to obtain credentials or to compromise the asset.
Cognitive and social biases play heavily into the equation. One intriguing cognitive bias, known as the Dunning-Kruger Effect postulates that the incompetent does not know they are incompetent, and this leads to an illusory, inflated self-image, which in turn leads to an asset that can be easily compromised; these assets do not typically follow instructions or take criticism well, which leads to a plethora of side effects. They are susceptible to flattery or pandering to jealousies or biases, an approach that has been used to great effect; these vulnerabilities provide a very fertile attack surface, particularly on social media. Social biases are a veritable bottomless pit of opportunity to compromise assets with these proclivities. It should be noted that none of these techniques of mass manipulation are new — they have been used for ages to gain and retain power, but now, with valuable assets and critical infrastructure being the prize, the consequences are dire.
Methods of attack
Social Engineering attacks are one of the most dangerous threats. Threat actors use social engineering to attack systems for which they cannot find any technical vulnerabilities. It is generally accepted that these attacks can be detected but cannot be entirely prevented. There are several types of attacks using different methods. These attacks follow a common execution with similar phases. The most common pattern involves four phases:
- Recon: Information gathering (reconnaissance)
- Hook: Fostering a relationship with the target
- Exploit: Exploitation of information and/or relationship
- Exit: Departure, leaving little or no evidence of the attack.
Attack stages are shown in the diagram. The attack loosely follows the steps in a cyber “kill chain” (See Control Engineering, June 2019: “Understand the cyber-attack lifecycle.”)
Social engineering attacks can be human-based, or computer-based. Human-based attacks require the attacker to interact with the victim to acquire information, and therefore cannot attack more than one victim at a time. Computer-based attacks can attack thousands in a very short time. Phishing emails are an example of computer-based attacks.
Technical, social, physical
Depending upon how the attack is perpetrated, attacks can be further classified into three categories: technical-, social- and physical-based attacks. Technical-based attacks are typically conducted through online venues, such as social media or websites designed to gather information. Social-based attacks are conducted through relationships with the victim and make use of emotions and biases. Physical attacks involve activities, such as “dumpster diving” or “shoulder surfing” or outright theft. Physical attacks are often done in combination with social attacks to misdirect the victim, allowing theft of credentials or access to secured areas.
Finally, attacks can be defined as direct or indirect. The former definition requires the attacker to be in contact with their victim, and often require physical contact, such as eye contact, conversation and presence in the victim’s work or home space. Direct attacks involve actual theft of documents or the perpetration of the long or short “con.” Direct attacks are often telephone calls. The fake IRS calls are examples of direct social engineering attacks. Indirect attacks do not require the attack to be in contact with their victims. Malware, distributed denial of service (DDoS), phishing, ransomware and reverse social engineering are some examples of indirect attacks.
Five common attack types
Many variants exist on social engineering means and methods. All are based on basic human frailties; among these are curiosity, need and greed, and resentment. The skilled attacker has done his research and has tailored an attack to fit the weaknesses and vulnerabilities of the intended victim. Described below are the five most common types of attacks:
- Phishing: Easily the most common of the SE attacks, phishing gets its name from the practice of “phone phreaking” whose aim was to manipulate the telephone network for thrills and free telephone calls. These attacks throw out a hook to see who or what bites. While the term is still used to describe deceptive telephone calls, by far the biggest venue for phishing is email. It has been estimated that over 80% of successful malware insertions occur with a phishing email scam. Phishing comes in several forms: Spear phishing — a targeted attack on one individual or facility; Whaling — a very targeted attack on a high value victim, or “Whale”; Vishing — the use of the telephone to perform the attack (voice and phishing); SMShishing — the use of text messaging. The list goes on. If the attacker has done thorough recon on the intended target, phishing can be very effective and difficult to detect and mitigate.
- Pretexting: Pretexting is the art of creating fake and convincing scenarios that cause the victim to trust the attacker and almost willingly give up their personal information or access credentials. Attackers use open source intelligence (osint), that is, information that is readily available in public documents, on the internet and particularly the information rich landscape of social media. The pretext takes many forms; job offers, offers of companionship or sex, something for nothing for a small fee — these scams are as old as the hills. The most familiar pretext is the “419 scam,” so called because they violate section 419 of the Nigerian criminal code. These are the scams whereby you are presented with an opportunity to share in an inheritance, or lottery winnings, or some other nonsense if you can just send the scammer money to help them “get the money out.” While it originated in Nigeria, there are many variants and copycats: beware of the cheap sunglasses scam.
- Baiting: These attacks play into the “need and greed” impulse and offer something free if you click a link on a website. Unlike “clickbait,” designed to drive up site hits, baiting attacks are used to install malware on the victim’s computer. Innocent-looking websites offering a free financial planning spreadsheet for download, for instance. As the spreadsheet loads a reverse shell program does also, giving the attacker access to all the victim then accesses. Free music, movies and pornography all have been used as vehicles for malware delivery. A variant is the use of infected USB drives left around a coffee shop or parking lot that inexperienced users pick up and, out of curiosity, plug into their machines; this was the method of installing the Stuxnet worm into a secure Iranian nuclear facility that was otherwise air-gapped.
- Quid pro quo: Similar to baiting, this attack offers a benefit to the victim for providing information. This is particularly effective in social media. One common attack is the fake IT staff scam, an example of “vishing.” These attacks do not have to be very sophisticated and are often done on the fly, with victims being selected at random. One study done in Great Britain several years ago showed that people stopped at random in the subway would give away their network passwords for a bar of chocolate or a cheap pen or some other trinket (reference).
- Tailgating: This is a very common physical attack whereby the attacker, posing as another employee or as a deliveryman, accesses a secure area by “piggybacking” on the legitimate employee’s access. One common method is to ask someone to simply let the attacker in because “they forgot their ID card.” This method is used to gain access to secure areas and requires the attacker also to use pretexting to convince a dubious employee of their sincerity and legitimacy. A variant is having the attacker “borrow” the employee’s ID card “for just a minute” so they can go to their car to retrieve a forgotten something or other — resulting in a copied or compromised ID card. Most people want to trust. Attackers know this and take full advantage.
Five prevention techniques
Five prevention techniques can lower risk of human errors that create cybersecurity risks.
- Reduce the attack surface. This entails a thorough analysis of a facility’s IT infrastructure seen through the eyes of an attacker. Close up open ports, and secure the firewall. Limit access to critical systems to as few staff as possible.
- Do thorough background checks on critical staff. Being as the weakest link in security is the human asset, the logical next step is to eliminate the human factor as much as possible. This means systematically removing human interaction as far as practicable. This may sound like heresy, but we face a crisis that has been brought on by carelessness and a failure of some to understand threats — in fact, many believe that cybersecurity is a solution in search of a problem. This type of thinking makes a skilled social engineer smile.
- Network safety team: While training can mitigate some threats, it is recommended that key staff be identified and trained to monitor for threats and beaches, and to act as network safety officers who regularly audit security procedures and review cyberhygiene of other staff. These people must have authority to shut down a vulnerability and have the ability to remediate the offending employee’s behavior. A “strike team” composed of network admins, security staff and senior employees can act quickly to detect and seal off a breach, and then do a post-mortem to determine how the breach occurred.
- Role-based access: Nothing is going to stop an employee from writing passwords on a sticky note or from treating cybersecurity as a useless exercise. This type of mentality is tough to deal with while allowing an employee to access the network and resources in the course of doing their jobs. Compartmentalization is one way to handle the problem; role-based access (RBAC) is an effective method of compartmentalization. Requiring a formal access request and then monitoring the employee while accessing critical data or systems is another technique. Multi-factor authentication is useful, but not if an employee does not take it seriously and is careless with their phone or other second means of authentication.
- Passwords: Mandating and enforcing intelligent password policy is effective in preventing staff from using easily guessed passwords like “1234567” or the ever popular “password.”
Proper cyberhygiene, like personal hygiene, can be taught, but as we all know, is not always practiced.
The human asset continues to be the weakest element in cybersecurity. A company can spend millions of dollars on automation, training, active intruder detection, mitigation and prevention, and active countermeasures — all to be foiled by an employee who is careless or incompetent. Removing the human element where possible can reduce cybersecurity risk.
Daniel E. Capano is senior project manager, Gannett Fleming Engineers and Architects, and on the Control Engineering Editorial Advisory Board. Edited by Mark T. Hoske, content manager, Control Engineering, CFE Media and Technology, firstname.lastname@example.org.
KEYWORDS: Cybersecurity, human cyberhygiene, cybersecurity training and tips
Social engineering can manipulate humans to compromise cybersecurity.
Social media and cognitive bias can weaken human defenses
Lower attack footprint, regular checks and an internal network safety team can help.
The most hardened cybersecurity can be thwarted by one person who lets down defenses.
Further reading on human cybersecurity
The Art of Deception, Kevin Mitnick
Social Engineering: The Art of Human Hacking, Christopher Hadnagy
The Risks of Social Networking, Symantec