Black Hat Europe took place in London in the first week of December 2019 and Omdia was invited to participate in a panel discussion about trends in social engineering and human hacking. All too often people are described as the “weakest link” when it comes to security, but this is unfair. People are often left to their own devices, and frequently untrained apart from an annual tick-box exercise to address some objective or another. Attackers are also becoming more sophisticated, preying on specific human traits to further their objectives. As such, we should not be surprised that using humans to breach security defenses remains one of the easiest methods of attack.
The scope of the “human” problem in cybersecurity defenses is significant. Dark Reading reports that 61% of organizations believe that end users who are negligent or break security policy are likely to be the cause of a breach within the coming year. And a 2019 Omdia survey of more than 500 merchants found that almost three-quarters of respondents either agreed or strongly agreed that their risks of a data breach are higher than they were in the previous year (up from fewer than two-thirds in the same 2018 survey).
The attitude of enterprises to security awareness and education tends to vary according to the amount of legislation that affects the organization. Most enterprises have the most basic security controls in place, such as a tick-box approach to awareness training that must be completed every year, or a reporting system that sees potential security incidents disappear into a black hole without any feedback, when it comes to helping humans not be the weakest line of defense. Or they rely solely on technology, a one-legged stool missing people and process.
To make inroads into social engineering and human hacking, behavior needs to change. And this is about catching the “moments in time” when policy has been breached, intervening immediately to explain the breach of policy and what should have been done instead. It is also important that individuals know what the outcome might have been had they continued with their insecure behavior, because knowing why something must be done will reinforce the message. Organizations can make use of security ambassadors or champions to communicate these messages.
Of course, not everyone in the organization should be treated the same. Consider, for example, spear phishing, where specific individuals are targeted based on their role. This requires more effort on the part of the attacker than a general phishing expedition but can yield significantly better results. And the effort isn’t days long. One panelist said with around 100 minutes of general Google searches, they can find enough information about an individual to launch a successful spear phishing attack on a C-level executive or perhaps an IT administrator with escalated privileges. Other examples include perhaps individuals working in finance to be prepared for banking or invoice fraud, an area where sophisticated social engineering techniques continue to make inroads.
These individuals therefore require specialized training and support to help them look out for this type of attack, getting the right messages to the right people at the right time, while still enabling them to conduct their day-to-day roles.
To answer the question about how serious social engineering and human hacking are can be summed up in one word: very. But if enterprises were to improve their approach, bringing in role-based and moment-in-time interventions, humans can become a much stronger line of defense.
"Verizon 2019 Data Breach Investigations Report: Adversaries target vulnerable executives in money-driven attacks”, INT005-000006 (May 2019)
"Education is necessary to improve security behavior", INT003-000350 (April 2019)
Maxine Holt, Research Director