The theme of FIC 2020 was Putting Humans at the Heart of Cybersecurity, so it's no surprise that social hacking
remained a hot button topic throughout the three-day conference.
About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.
While social engineering has been around for decades, recent years have registered a
concerning uptick in the quantity and quality of social attacks. Using simple, yet effective techniques,
Silent Breach ethical hackers have found that a layered attack -- combining phishing, vishing, as well as targeted
spearphishing attacks -- can critically breach 90% of businesses within one week, all without writing a single line of code.
Gone are the days of poorly formatted mass phishing emails alerting you to your newfound Nigerian wealth. Today, hackers can easily craft customized spearphishing
attacks via a quick Google search or browsing social media. Here we will discuss the latest trends, lessons, and warnings from FIC 2020:
The Human Behind the Machine
"Humans aren't the weakest link. They're the missing link," Deanna Caputo, a behavioral scientist at MITRE, announced to an auditorium packed with technologists,
military professionals, and security analysts. In other words, the reason why the majority of security breaches result from human error is not because humans are
inherently flawed. Rather, it's because the tools and processes designed to keep us safe do not take into account the actual users who are meant to implement them.
For example, telling employees not to click on 'suspicious' links will produce limited results when there are no clear and consistent guidelines for declaring a
link 'suspicious'. Instead, one speaker suggested, recommend that employees ignore all 'unverified' links, i.e. any link that the recipient was not separately
informed (perhaps via Slack) to click on.
Accordingly, when developing a security tool, standard, or process, it is critical to first ensure that you're designing for how people will use it, not for how
you'd like them to use it. By carefully accounting for the human element, cybersecurity can go from being an idealistic goal to a realistic solution.
In February of 2004, social hackers were handed the gift of a lifetime in the form of Facebook. While unimaginable at the time, Facebook's success ushered in a
new era of mass human communication, i.e. social media. Since then, platforms such as Twitter, Instagram, and LinkedIn provide users with a treasure trove of
personal data on pretty much anyone in the world. Social media has made social hacking easier and cheaper than ever before.
So, what's the solution?
According to Rachel Tobac, co-founder and CEO of Social Proof, "You don't need to delete your social media. You need to be politely paranoid." To use her
example, it's okay to post a photo of your vacation in Cancun, but it's probably a bad idea to tag the hotel you're staying at. Once a hacker knows your name,
the date of your stay, and the name of the hotel, they can easily give them a spoofed call and make off with your hard-earned reward points.
Asked about the potential for AI to automate and mass produce social engineering attacks, Jeff Moss, Defcon founder, remained skeptical. "For the foreseeable
future, a human, not AI, will always be a greater threat to other humans." While AI may be good at gathering useful background info or predicting which attack
vector to utilize, the actual social attack will require a level of emotional intelligence that Artificial Intelligence currently lacks.
In the meantime, both the private and public sectors should increasingly invest in AI research to ensure that critical innovations are (at least initially) used
to help secure our networks, rather than breach them.
1. Take a breath. Ask a question.
Social hackers will usually use some sort of financial or time-based pressure to make their victims act impulsively (e.g. "You credit card has been hacked and
if you don't provide me with your account credentials right now, your account may be cleaned out"). In the legitimate world, this is rarely the case. So, if you
feel yourself getting emotional or worried, this is a good sign that you should take a deep breath and politely ask if you can call them back. Chances are, the
next thing you'll hear is a dial tone.
2. Two Person Rule
Key functions should require more than one person to sign off. Each person has a distinct set of biases, so by requiring more than one person to okay a decision
will greatly decrease your risk. For example, Tobac found that while 100% of men fell prey to her vishing attacks, very few women made the same mistake. Remember,
redundancy always decreases risk.
3. Migrate away from email
There are many direct messaging applications with end-to-end encryption (such as Slack, Signal, WhatsApp) readily available. As much as you can, slowly migrate
your communications to one of these.
Protect your business. Talk to a Silent Breach representative today to schedule your comprehensive social engineering audit.