Beware the Weakest Link: Human Behavior
Recently, The Washington Post included a front page article that should serve as a warning to any employer about increasingly sophisticated social engineering attacks that exploit one key vulnerability that is essentially immune to technical solutions: their employees. Social engineering attacks work by exploiting the natural human tendency to trust and thereby tricks the recipient into believing the contents of the communication is safe. Using bogus emails and phony websites, hackers can install programs to steal information, spy on the organization, or even disrupt operations. This is the fourth story in the Post’s ongoing cybersecurity series, Zero Day: The Threat in Cyberspace.
The backdrop for the article is a series of recent spear phishing attacks that have targeted specific employees of intelligence contractors, utility executives, and industrial-control security specialists. For many of the attacks, seemingly innocuous email messages that appeared to originate from trusted contacts were, in fact, cyberweapons that were part of a sophisticated and large-scale social engineering attack intended to trick the recipient into circumventing the organization’s security controls.
In a typical spear phishing attack, hackers employ email messages and similar communication methods that appear to come from a colleague or friend but which actually contain malicious code buried in a phony web site link or email attachment. Once the recipient clicks on the link or opens the attachment, the malicious code (often a remote access tool or “RAT”) is delivered and buries itself within the targeted network. Such malware often will reach out to the hacker, typically through an encrypted message or cloaked in what appears to be run-of-the-mill internet browsing, who then uses this secret back-door to install other malicious software to take control of the target company’s computers. These attacks can persist for months or even years in some instances, and allow the hacker to steal customer financial information, take sensitive corporate data, or even hijack industrial control systems.
Two main characteristics really distinguish this new wave of spear phishing attacks. First, hackers are starting to target specific individuals within a specific organization (sometimes high-level executives, but often low-level employees), who the hacker then studies to gather personal information that can be used to manipulate him or her. The target profile can be derived from an array of sources, including social media sites like Twitter, Facebook, and LinkedIn, as well as through other data mining techniques. Using this target profile, the hacker then includes specific details relating to the targeted individual in an effort to lower their guard and entice them into launching the hidden malware.
Companies spend fortunes on technical solutions to protect their networks, but ignoring this human vulnerability can render the technology investment utterly worthless. Even the best security technology must be supported by solid security policies and practices. Here are a few recommendations:
- Ensure that employee security training programs include information on social engineering and how to identify a potential spear phishing attack.
- Require all new hires to go undergo comprehensive security training as part of onboarding process, and provide periodic security reminders to all employees (which is an “addressable standard” (not required) under HIPAA, but is required under Massachusetts law). Building employee awareness of security threats can help prevent complacency.
- Ensure that employees know the proper procedures for reporting suspected security incidents and the individual(s) to whom they should report such events.
- If a spear phishing attack is detected, immediately issue an organization-wide alert so that other employees will watch for and identify suspicious communications.
- Integrate social engineering and spear phishing attacks into the organization’s security incident response plan and training practices.