Creating a “Human Firewall” for IT Security
Psychologist and social engineer Christina Lekati from Cyber Risk GmbH explains the psychological basis of phishing and how to arm staff with effective defenses.
dotmagazine: How prevalent is social engineering as a cyber attack? What are the common objectives of social engineering attacks?
Christina Lekati: According to the latest threat landscape reports that have been published by organizations like the European Union Agency for Cybersecurity (ENISA), social engineering is, today, the most prevalent attack vector. It seems that threat actors increasingly prefer attacking humans first, rather than networks and security systems, in order to initiate or execute a cyber attack.
The reason is simple: while technology keeps advancing and security systems become stronger and more complicated to compromise, human psychology has remained the same over centuries and is thus easier to exploit. The stimulus-response effect in human vulnerabilities is consistent, and exploiting these vulnerabilities is consistently successful. In addition, employees are often insufficiently trained about social engineering attacks, which leads to an inability to identify or respond to these attacks. That becomes an exploitable organizational vulnerability.
The most common objectives of social engineers involve gaining some type of access: to systems, assets, or sensitive information.
dot: How much psychology is used in social engineering? As a trained psychologist yourself, do you find it possible to use psychology to defend against social engineering attacks?
Lekati: Social engineering is based almost entirely on exploiting human psychology – with the help of technology. It is, essentially, weaponized psychology. It utilizes deception techniques, manipulation, and the exploitation of the hard-wired human decision-making mechanisms that drive behavior and motivation. This usually leads to security breaches, or information leaks.
Having a background and degree in psychology helps in understanding the process that takes place when attackers target an employee or a high-value target within the organization. It also helps in identifying the human vulnerabilities that are left exposed. This way, we can be more targeted and effective in addressing the problem and in crafting a better defense mechanism against social engineering attempts.
In-depth knowledge of psychology also plays another important role: In the effective training of employees and in helping to create a security culture or “human firewall” within an organization. We utilize social psychology to support our training methodology. The goal is to motivate employees to practice good cybersecurity habits. To learn not only what the threats are, but why they are relevant to them, and what they should do about them. We want to trigger their interest, make the course personal and relevant to them, and make them care. The list of good cybersecurity practices can be the same in many different training courses, but using social science to deliver this message makes all the difference between employees that are simply aware, and employees that decide to actively support their organization’s cybersecurity efforts.
dot: What kind of clever tricks do successful social engineers use and how can users recognize them?
Lekati: Social engineering attacks can vary greatly, and thus, the tricks they use also differ. Although it is good to be aware of certain common approaches, we should not rely only on the scenarios we already know, as this would result in a false sense of security. Many social engineers do very thorough background research on their targets. They are able to craft an approach that is tailored to their target and is difficult to identify as an attack.
On other occasions, however, attackers do use tried and tested cover stories that have proved to be consistently successful. One common example is the vishing (phone-based) attack, where an attacker calls an employee and pretends to be an IT support staffer. Then they proceed to explain a cover story: For example, they may say that they are running some system upgrades and that they need the employee’s username and password in order to properly upgrade their accounts. Or they may say that they have developed a new online communication platform for employees and then ask them to register for it through a phishing email that they subsequently send, containing a malicious link.
Users can recognize an attack from certain red flags. For example, many social engineering pretexts use the combination of fear and time pressure to push an employee towards immediate action – this is an immediate red flag. Also, no matter what the cover story is, most attacks boil down to specific requests that should make an employee suspicious. For example, requesting sensitive information (such as user login credentials), or motivating them (either through the phone or a phishing email) to click a – malicious – link. Employees need to learn how to recognize the red flags and how to respond to them (or verify the contact person) in a business-appropriate manner. This happens through training.
dot: What are the top 3 actions that companies need to take to effectively defend against social engineering attacks?
Lekati: There are a number of actions organizations can take. Some of them involve technical measures and controls (such as enabling multi-factor authentication wherever necessary or applying the principle of least privilege). When it comes to the human factor, here are some steps that we know make a difference:
1. Employee social engineering awareness training:
The most exploited factor in social engineering is ignorance. A person that does not know the tactics and methods used by social engineers is defenseless against them. Employees need to understand not only what to do, but also why. They need to understand that security is a shared responsibility, and that successful cyber attacks can lead to a number of disasters both for themselves and their organizations.
However, not all training approaches are effective. It is ideal to adopt an approach that engages employees and is tailored to the specific needs and environment of the organization they operate in.
2. Social engineering attack simulations:
Once employees have learned to identify and respond to social engineering attacks, their skills can be put to the test. An organization may need to perform either phishing email simulations, phone-based (vishing) attack simulations, or in-person simulations to see how far a potential outsider could get into the office premises. These simulations help employees solidify the knowledge that they have acquired through training, and to be alert.
3. Conducting an Open Source Intelligence (OSINT) analysis on the organization:
Companies often have little awareness of how much information about their organization is on the internet, the risk it may pose, or what sources have made it available. Social engineers heavily leverage open source information to facilitate their attacks. Open source intelligence gathering helps organizations to proactively deal with this problem and reduce or eliminate potential attack verticals, and information leakage vulnerabilities.
At the same time, an OSINT analysis is an important resource for identifying and covering specific training needs. Some of the information that might pose a risk may need to remain on the Internet. From experience, we know that certain information is highly likely to be used in attack scenarios. The organization can train employees on challenges related to information that can be used against them, but that needs to remain online.
Corporate OSINT analysis has proven to be quite useful for organizations; in some of the OSINT investigations that we have conducted for organizations in the past, we have been able to identify specific confidential information that had leaked online, physical security vulnerabilities, insider threat risks, and more.
Christina Lekati is a psychologist and a social engineering specialist working in the field of cybersecurity. She participates in a variety of projects where she practices or trains teams on social engineering for defensive or offensive security purposes.
Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.