Social Engineering – a Rising Threat Part 3

Continuing with our special on social engineering, today we’re looking at some insights from the industry about the issue. In our video interviews with Lance Spitzner and Jelle Wieringa we’ve already established that social engineering remains the number one attack vector by far. But, they are obviously other aspects to this and also some tipps and tricks to harden the human firewall, if you want to express it this way.

One of the broader aspects of this can be summarized with one word: “awareness”. Or, to be more precise, the lack of it. Many people are not yet aware how important it is to protect their digital assets. Everyone knows that it’s important to lock their door, but you’ll be surprised how many people are “securing” their computers with passwords which are more of an invitation rather than an obstacle.

Social and talkative

“Gradually more aspects of our life are totally related to digital. We pour a great deal of information into tools connected to the Internet, but there is still no awareness of the importance of protecting this data and implementing cyber-security strategies that will help us to have a more safer online experience,” says Mario García, General manager for Spain and Portugal for Check Point Software.

The current situation fuels this widespread unawareness for the importance of cybersecurity. Thorsten Geissel, Director Sales Engineering EMEA at Tufin Technologies: “Covid gave adversaries a new play with governmental offices reaching out to their citizens for contact tracing or how to spend stimulus money. So those cases are raising and additionally most of the remote workers are not secured the same way they would be sitting in the office behind the whole security stack.”

Paolo Passeri, Cyber Intelligence Principal for Netskope, agrees with this analysis:  “Users are the new perimeter, and from an attacker’s perspective the entry point of the system: they are outside the physical boundaries of their organisation, and even worse, emotionally distressed – due to the current circumstances – so even more vulnerable”, he explains.

Interestingly, it can be argued that the rise of cybercrime is happening because of the increasingly digital lifestyle we lead. Here’s an interesting story from Rob Chapman, Director of Security Architecture at Cybera: “I asked a security professional to speak to our IT department on security. His presentation was simply titled, “How I Will Phish You.” It wasn’t a question of if he would be successful. It was simply understood he would be. What was remarkable about his presentation was that it was a story of how people over the last years have become so desensitized to putting personal information online that social engineering was simply the easiest way to attack companies.  

Since the mainstreaming of computers in the workplace I can’t think of a single time when someone’s online behavior impacted a company’s security posture as much as it does today. It’s easy to think this is a matter of personal responsibility, but I think people give themselves too much credit for independent thinking and action in the face of aggressive marketing efforts to solicit personal/confidential information from them. There’s no barometer for what to share. No intuition. Billions are spent each year building algorithms designed to attract this exact kind of oversharing. Each social media platform for work and life wants to know where I am, where I’ve been, my relationship status, my work status, where I’ve eaten, what I like, who I vote for, and on and on. We’re rewarded with faster connections online and platforms that cater ever more carefully to what we desire. The most insidious part is that it’s become so automatic that we don’t even stop to ask, ‘Is this really a good idea?'”

What to do

This sharing culture doesn’t mean we can’t do anything about cybercrime. On the contrary. We’ve already heard the tipps from Jelle Wieringa and Lance Spitzner, both of them can be summarized with three simple points:

1. Common Sense
2. Multi-Factor-Authentication
3. Software Updates.

Rob Chapman adds: “The best advice I can offer is this: Limit your organization’s blast radius. Limiting blast radius is something we don’t talk as much about, but it’s probably one of the most important architectural efforts you can make. It starts simply with the question, ‘If the worst happens, how can I minimize the impact?’”

As a way to conclude and summarize this article on social engineering, here’s another quote by Tim Berghoff, Security Evangelist at G DATA CyberDefense:

“Social Engineering is one of the most difficult things to defend against, There is no technology that can defend against it in any meaningful way. This most difficult to detect attack method targets the least well-defended part of any organization: the users. While a lot of threats these days can be mitigated using technology, users are still woefully underequipped when it comes to detecting and thwarting social engineering attacks. It is hard for humans to “un-learn” those behavior patterns which are exploited by attackers, because they often go against the trusting nature of humans. Educating oneself on how to spot social engineering attacks as well as learning how to defend against them is an absolutely vital step towards a more security-minded industry.”