When it comes down to it, everything is about humans. We get swept up in technology and innovation, but it was invented to be an adjunct to our human day-to-day activities. Researchers in Human Computer Interaction, or HCI, both observe the ways in which humans interact with computers and design technologies that let humans interact with computers in novel ways. Socio-technical systems that facilitate this interaction offer huge opportunity. This is no less true for cyber security: it is the human factor as much as the technology that needs to be considered in any strategy built to combat the onslaught of cyber threats that our technology, especially highly connected technology, poses. In a recent article about the Top 5 Cyber Security Risks for Companies, we placed ‘Users’ as one of those top 5 threats. So why are humans both a risk to, at threat of, and beneficiaries for cyber security, and does this impact companies?
The human factor in cyber security threats
If one thing has become clear in the last year of cyber security attacks, it is that this is now personal. Cybercriminals are playing games with us, using their threat toolset to steal identities, bring down websites, and extort money. The cybercrime statistics for 2015 are breathtaking. In 2015, Symantec, in the Internet Security Threat Report, identified 430 million new pieces of malware, a year on year increase of 36%. And according to the Breach Level Index report into exposed personal data, the same year saw a staggering 707 million records breached, with the trend continuing in 2016.
It seems that cybercriminals are always one step ahead of our security professionals, but why is this? Cybercrime, when it is broken down, is based on the same set of principles, and the same mindset, as the scams of old. Frank Abagnale, the infamous scammer, played by Leonardo DiCaprio in the 2002 film “Catch Me If You Can” would use human psychology to trick his victims into doing what he wanted. In the same way, modern cybercriminals trick users into doing what they want, downloading malware, clicking on a link in an email to a spoof website, sharing login credentials to a resource server, paying up ransoms for encrypted data, or even unwittingly carrying out a Denial of Service Attack (DDoS) like the one we saw this week waged against Twitter, Spotify and others. All of these, when broken down, are initiated by psychological tricks played against human counterparts. The only difference between con men of old and today’s tricksters is that today they utilize technology, and in particular the flaws in technology, to widen the scope of their activity.
Types of threats where human behaviour is a cause
These tricks are known collectively as ‘social engineering’. That is taking a social situation, like a human being receiving an email and engineering the situation so that the email, actually from a hacker, looks like it is from their CEO. The email may demand they immediately login to a server, or send a cash transfer to a new client. Because the email is cleverly put together, using our own normal behavioural traits against us, it is invariably successful.
The types of threats that we see which commonly utilize human behaviour (and where learning more about behaviour can help address) include:
Phishing is a perfect example of a social engineering exercise for a cybercriminal. The premise of the method is entirely based on tricking a user into doing something because they believe it is real and legitimate. Last year 85% of organisations reported that they were a victim of a phishing attack, and individuals are just as vulnerable. Spear phishing is a particularly focused and sinister form of phishing which targets victims, where the fisher will often go to great lengths to learn about their target, making the resultant phish even more plausible. If criminals are spending a lot of time looking at humans interact with the services and technology available to them, it makes sense that companies should too.
Whaling or Business Email Compromise
Business Email Compromise is a variant of spear phishing that is highly lucrative making cybercriminals around $2.3 billion last year. The emails are sent to targeted employees of an organisation – often in accountancy departments – and look to be genuinely from someone within the company. The emails then ask for a transfer of monies to be made immediately, or in many cases to ask for employee tax data to be emailed – which is then used to perpetrate tax fraud.
Insiders don’t have to be malicious to cause a security breach. A great example of this is accidental email sending. At a G20 Summit meeting in 2015, 30 of the world’s leaders passport details were unintentionally sent by the Australian immigration department to the Asian Football Cup Tournament organizers. Of course, it’s not all so inncocent. Malicious threats are also a serious issue within a company. According to research by Accenture and HFS Research, 69% of enterprise security professionals have experienced an attempted theft of data by someone they work with.
Individuals are at risk
Cybercriminals have their beady eyes on the target and the target is a human being. It’s not always big organisations who are under threat, and the impact ripples down to individuals.
Korea Credit Bureau: Affecting an astonishing 40% of the South Korean population, in this instance a contractor stole Personally Identifying Information (PII) and credit card details of 27 million bank users, by misusing his access rights and copying the data to an external drive over a period of 18 months.
Ubiquiti Networks Inc: This was a BEC attack where spear phishing emails were targeted to finance department employees. The emails impersonated top-level company executives and requested fund transfers. In the end, the company lost $46.7 million.
Anthem Blue Cross: This was a spear phishing attack against IT employees which resulted in the theft of a critical system password, ultimately leading to the exposure of the data of 78.8 million customers. Once that data had been leaked it created a chain of attacks, this time against the customers themselves, who received a phishing email purportedly from Anthem, asking them to click on a link to set up identity theft protection. The link went to a spoof site which went on to collect even more personal data.
Ways of Mitigating the Human Factor in a Cyber Attack
In the war on cybercrime, we have to fight fire with fire. Cybercriminals use a mix of human behaviour and technology to enact their goals. Companies too have to use this same dual approach, combining behaviourial analysis and technology, to mitigating the very real and present danger of cyber crime.
Security awareness is something that all companies should do as a baseline exercise. Making sure all employees, contractors, and other members of the vendor supply chain are aware of the risks associated with social engineering tricks played by cybercriminals. This may mean a concerted company wide effort to carry out spoof phishing exercises which help to allow users to spot the types of tricks that phishers use. Making users security aware is also useful against accidental insider threats.
But security awareness is not enough to prevent cyber security attacks. We must use the best tools available to mitigate those risks. Authentication technology, live insight into potential threats, and understanding of human behaviour can all play a role.
You may not be able to prevent every user from clicking on a malicious link, but you can stop the hacker from stealing login credentials. If you use second factor authentication (2FA) you can stop the phisher dead in their tracks. 2FA requires a second method of authentication after a password has been entered.
Risk based authentication adds in layers of further protection to enforce access rights by applying rules such as login by IP address, and so on.
Correct implementation of internet security
Increasingly important as the vendor ecosystem expands and more people work remotely, this includes ensuring that HTTPS is used across a site wherever user data is being transmitted.
By knowing how and when your users typically act, it is easier to spot when something out of the ordinary takes place, and as a result, address it. This helps prevent both external hacking and insider threats, making it easier to spot when unusual actions take place, such as data exfiltration events.
Turbulent history – promising future?
In the scheme of things, human beings and computers have a short history, but that history is a turbulent one. Recognising that technology use really is all about humans, and applying that factor in security as well as using the best tools available, we will give ourselves the best chance of winning this war on cybercrime.
Michael Liebi ist Gründer und nun als Board Member bei United Security Providers tätig.