Politely Paranoid: the current state of cybersecurity

Four Lessons from FIC 2020

The theme of FIC 2020 was Putting Humans at the Heart of Cybersecurity, so it's no surprise that social hacking remained a hot button topic throughout the three-day conference.                         

While social engineering has been around for decades, recent years have registered a concerning uptick in the quantity and quality of social attacks. Using simple, yet effective techniques, Silent Breach ethical hackers have found that a layered attack -- combining phishing, vishing, as well as targeted spearphishing attacks -- can critically breach 90% of businesses within one week, all without writing a single line of code.

Gone are the days of poorly formatted mass phishing emails alerting you to your newfound Nigerian wealth. Today, hackers can easily craft customized spearphishing attacks via a quick Google search or browsing social media. Here we will discuss the latest trends, lessons, and warnings from FIC 2020:

The Human Behind the Machine
"Humans aren't the weakest link. They're the missing link," Deanna Caputo, a behavioral scientist at MITRE, announced to an auditorium packed with technologists, military professionals, and security analysts. In other words, the reason why the majority of security breaches result from human error is not because humans are inherently flawed. Rather, it's because the tools and processes designed to keep us safe do not take into account the actual users who are meant to implement them.

For example, telling employees not to click on 'suspicious' links will produce limited results when there are no clear and consistent guidelines for declaring a link 'suspicious'. Instead, one speaker suggested, recommend that employees ignore all 'unverified' links, i.e. any link that the recipient was not separately informed (perhaps via Slack) to click on.

Accordingly, when developing a security tool, standard, or process, it is critical to first ensure that you're designing for how people will use it, not for how you'd like them to use it. By carefully accounting for the human element, cybersecurity can go from being an idealistic goal to a realistic solution.

Social Media
In February of 2004, social hackers were handed the gift of a lifetime in the form of Facebook. While unimaginable at the time, Facebook's success ushered in a new era of mass human communication, i.e. social media. Since then, platforms such as Twitter, Instagram, and LinkedIn provide users with a treasure trove of personal data on pretty much anyone in the world. Social media has made social hacking easier and cheaper than ever before.

So, what's the solution?

According to Rachel Tobac, co-founder and CEO of Social Proof, "You don't need to delete your social media. You need to be politely paranoid." To use her example, it's okay to post a photo of your vacation in Cancun, but it's probably a bad idea to tag the hotel you're staying at. Once a hacker knows your name, the date of your stay, and the name of the hotel, they can easily give them a spoofed call and make off with your hard-earned reward points.

Artificial Intelligence
Asked about the potential for AI to automate and mass produce social engineering attacks, Jeff Moss, Defcon founder, remained skeptical. "For the foreseeable future, a human, not AI, will always be a greater threat to other humans." While AI may be good at gathering useful background info or predicting which attack vector to utilize, the actual social attack will require a level of emotional intelligence that Artificial Intelligence currently lacks.

In the meantime, both the private and public sectors should increasingly invest in AI research to ensure that critical innovations are (at least initially) used to help secure our networks, rather than breach them.

Mitigation Techniques
1. Take a breath. Ask a question.
Social hackers will usually use some sort of financial or time-based pressure to make their victims act impulsively (e.g. "You credit card has been hacked and if you don't provide me with your account credentials right now, your account may be cleaned out"). In the legitimate world, this is rarely the case. So, if you feel yourself getting emotional or worried, this is a good sign that you should take a deep breath and politely ask if you can call them back. Chances are, the next thing you'll hear is a dial tone.

2. Two Person Rule
Key functions should require more than one person to sign off. Each person has a distinct set of biases, so by requiring more than one person to okay a decision will greatly decrease your risk. For example, Tobac found that while 100% of men fell prey to her vishing attacks, very few women made the same mistake. Remember, redundancy always decreases risk.

3. Migrate away from email
There are many direct messaging applications with end-to-end encryption (such as Slack, Signal, WhatsApp) readily available. As much as you can, slowly migrate your communications to one of these.

Protect your business. Talk to a Silent Breach representative today to schedule your comprehensive social engineering audit.

About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.