4 minute read
The Human Factor - The Lowest Hanging Fruit For Cyber Attackers
The Risk Echo
Stephen Babigumira MSc, CISSP, CRISC, CEH, CISA, ISO 27001 LA, OCA
Information Security Manager & Data Protection Officer, National Social Security Fund
Information technology has risen to prominence as a critical success factor for competitiveness among organizations. As firms continue to enjoy the benefits that come with embracing IT, attackers are also active participants in this innovative space, by orchestrating highly sophisticated attacks that match the advancement in technology.
As organizations grapple with the waves of change in technology and cyber-attacks, one challenge remains constant, that is, the users of the technology solutions.
Highlighted as the weakest component of any information security setup, employees have become the most important point of interest to attackers. Staff often make mistakes that give attackers opportunity to strike and cause harm to organizations. Instead of trying to penetrate sophisticated firewalls, attackers are targeting soft spots, which are the employees. Unfortunately, organizations often overlook this threat paused by insiders, by counting blindly on trust that all employees know what to do to protect the valuable information assets. This leaves many staff drowning in a pool of ignorance on the latest cyber-attacks, their impact, how they are orchestrated and how to stop them. As a result, cyber criminals are exploiting this forgotten layer (human) to successfully attack systems. According to Verizon’s 2021 Data Breach Investigation Report (DBIR), 85% of all breaches involved the human element; with phishing, a form of social engineering, representing 36% of breaches, followed by Business Email Compromises (BECs). Also, the 2020 Trustwave Global Security report highlighted that half (50%) of the incidents investigated were as a result of phishing and other social engineering techniques.
Phishing involves setting a bait, with the hope of persuading a few users into sharing their personal information (usernames and passwords) or downloading a malicious file that provides criminals with access to your organization’s systems and data, as legitimate users.
ISSUE FOUR|JAN 22
Traditionally, phishing used to be done through generic deceptive emails, today it has expanded to SMS (Smishing) and Voice (Vishing). These attacks can be orchestrated from individuals or companies that are well known to the user. The attacks are becoming more customized and target-based.
Currently, phishing is done in many forms, such as Spear Phishing, Whaling and Pharming. Spear Phishing is a personalized attack, targeting specific individuals in an organization. Whaling is a phishing attack that targets very high ranking individuals in an organization such as senior managers. CEO-fraud; this is where the attacker impersonates a company’s CEO or other top management official to authorize payment or extract insider information from employees. Pharming involves redirecting a user away from a legitimate website to a spoofed/cloned version.
On July 15, 2020, Twitter reported that 130 accounts of high profile people, including that of Mike Bloomberg, Jeff Bezos, Barack Obama, Joe Biden, Kim Kardashian, Elon Musk and Bill Gates, among others; were targeted in an attack. The accounts began tweeting a Bitcoin scam, promising to “give back” to the community by doubling any Bitcoin sent to their address.
Attackers used phishing techniques to call up the company’s consumer service and tech support personnel, instructing them to reset their passwords. Some employees fell for the bait and entered their usernames, passwords and multifactor authentication codes to a dummy site set up by the hackers. The attackers then used these credentials to gain access to Twitter’s internal administration tools. It’s reported that by the time the attack was stopped, the hackers had received hundreds of transfers, worth more than $100,000.
Unfortunately, it’s not easy to stop such kind of attacks; security tools such as Next generation firewalls, endpoint detection and response, antivirus, etc, have not been designed to stop such attacks that appear to be from a legitimate source. Criminals love this kind of attacks because they don’t make a lot of noise on the network to be detected easily. Secondly, the use of legitimate credentials that the user gives away makes them hard to stop by any security tool.
So, as an organization, you should look at turning your staff into the strongest point of defense against social engineering, by empowering them to identify, report and stop such attacks. The best way of stopping an attack is getting to know about it and how it’s orchestrated. Without adequate information, security awareness and training, staff are less likely to recognize or react appropriately to information security threats, and are more likely to place information in the hands of attackers, through ignorance and carelessness.
A formal security awareness and training program, with a goal of sensitizing and training users of the potential threats to their organization’s information and how to avoid situations that might put their data at risk, is a great approach to building a strong human firewall around your information assets. The program will help to lower the organization’s attack surface through empowering users to take personal responsibility for identifying information security threats, protecting the organization’s information, and to enforce the policies and procedures your organization has in place to protect its data.
Remember that most of the users in organizations are not security conscious and are not thinking about security all of the time. So they must be continuously sensitized and trained to make them security-conscious. Different methods of sensitization could be employed such as InfoSec bulletins, banners, presentations among others.
Staff play a very important role in running a successful information security program. An untrained and negligent workforce can expose their organizations to data breaches. Therefore, organizations must adopt and implement a sustainable security awareness and training program that includes essential guidelines needed to stop imminent cyberincidents.
