Social Engineering: How Attackers Exploit People's Vulnerabilities
A new report from the Information Security Forum (ISF) contains some fascinating insights into how hackers probe and exploit people's psychological vulnerabilities to gain access to corporate systems. From phishing to "whaling" (targeting high level executives) to "baiting" (offering something in return for credentials or information), hackers are using several tactics to gain a foothold. They also know the best time to deploy those tactics – at the end of the day, for example, when a person is tired and may not make the best decisions.
The findings were highlighted in a Dark Reading article, which shines an interesting spotlight on hacking and the human condition.
As the ISF study proves, today’s hackers are far from being the cliched maladjusted nerds concocting cyber acts from their parents’ basements. Hackers are highly sophisticated actors with both technical skills and a deep understanding of human behavior and how to manipulate it via social engineering – making for a dangerous combination.
Spear-phishing has long been a favorite tactic, but intruders’ use of new attack vectors that build credibility over time and manipulate their targets into making mistakes are growing in popularity. Such tactics include text messages (“smishing”) and phone calls (“vishing”) that use AI to impersonate known and trusted voices, such as corporate CEOs.
One of the earliest examples of this attack vector involved the use of AI-based software by a fraudster to mimic the voice of the company CEO who demanded over the phone that the head of the company’s UK subsidiary transfer $243,000 to a supplier. Believing the call to be genuine and lacking the technology controls to detect such attacks, the fraudulent transfer went through.
Security performance management: what you can do
While technology controls can help mitigate security risk, organizations must also take steps to better understand their employees’ psychological vulnerabilities and mitigate the risk associated with these behaviors. While training programs and self-monitoring behavior have always been core to creating a cybersecurity awareness culture, in the face of increasingly sophisticated psychological-based attacks, it’s time to up the ante.
For security teams this means focusing on securing the network against phishing attacks via security performance management and behavioral monitoring best practices. Security assessments can be performed to determine risk levels, while keeping a close watch on users’ behaviors (monitoring the downloading of unsanctioned software, for example) can effectively prevent vulnerabilities.
But other stakeholders have a role to play, too. To address the human vulnerabilities that lead to successful social engineering attacks, the onus is also on legal and finance teams to instigate more rigorous risk management protocols.
For example, anytime an employee seeks to procure a service from a third-party – whether the party appears legitimate or not – that entity must be vetted by the legal department and a determination made as to whether a formal contract is required. This is particularly vital whenever access to data or corporate assets is requested.
Furthermore, to minimize the risk of cyber fraud, finance teams must put measures in place to ensure all direct payments made to third parties are properly authorized and supported by purchase orders and invoices. This should take place even if the request comes from a purported phone call made to an employee from the CEO.
Keeping organizations and employees safe
While these protocols do introduce additional hurdles into the procurement process, executives can ill afford to take umbrage with a “trust, but verify” approach. By adopting a “three-legged stool” approach that involves security, legal, and finance, organizations can ensure that robust safeguards are put in place to limit the manipulation of psychological vulnerabilities by attackers. They can keep both their organizations and employees safe