The human OS: Overdue for a social engineering patch

It sounds like the operating system that really needs some serious security patches is the human one.


It sounds like the operating system that really needs some serious security patches is the human one.

While technology giants like Microsoft, Google and Apple regularly crank out updates, patches and fixes for zero-day vulnerabilities and other threats, the weakest link in the security chain -- the careless or clueless employee -- remains the weakest.

That is in large measure because there is no technology that can prevent someone falling for increasingly sophisticated social engineering attacks. As has been regularly reported during the past year, some of the biggest data breaches in history have been launched by attackers fooling an employee.

And that is despite years of exhortations by experts that worker security awareness training needs to be much more than a perfunctory lecture or PowerPoint presentation once every six months or so.

In a recent flash poll conducted by Dark Reading, more than half of 633 respondents said, "the most dangerous social engineering threat to their organizations was due to a lack of employee awareness."

The latest McAfee Phishing Quiz, which had drawn more than 30,000 participants in 49 countries as of early this month, found that 80% fell for at least one phishing email in the 10-question quiz. Among business users, the best score came from IT and R&D teams -- but their score was just 69% correct in detecting which emails were legitimate and which were phishing.

In short, human hacking continues to be far too easy. Chris Hadnagy, chief human hacker at Social-Engineer, said during a Dark Reading radio interview that, "as you can see from the news, it's (social media attacks) working way too well."

According to Hadnagy there are three major causes for that -- the first two relating to human weaknesses and the third to much-improved attacks.

First, people are programmed to want to help others. "Inherently we want to trust people," he said.

Second, most users are uneducated about security threats. "Companies are not doing a great job at security awareness education that matters to or affects the employee," he said. "Put those two together -- the psychology and the lack of education -- and you have breeding ground for social engineering."

And that makes them even more vulnerable to attackers who have upped their game. "It starts with OSINT (open-source intelligence) or online information gathering," Hadnagy said. "That's the lifeblood of social engineering. Once the information is gathered, it becomes apparent what attack vector will work best."

Theresa Payton, former White House CIO and current CEO of Fortalice Solutions, agrees that OSINT gives attackers far better tools to fool their targets.

"They figure out who the executive team is, the law firm, the names of the corporate servers, current projects, vendor relationships and more," she said. "They use the reconnaissance, which can often be done in less than a day, to create sophisticated social engineering attempts."

Attackers have also almost eliminated one of their most obvious weaknesses. Gone are the days of lousy spelling and grammar that made phishing emails relatively obvious.

"They're using spellcheck, and they hire organizations to proofread their emails," he said. "That was huge indicator in the past."

Finally, there is the rise of "vishing," in which an attacker makes a phone call, posing as someone from another department, to urge an employee to click on a link in an email without checking it thoroughly.

"This means sending the poisoned email to a secretary, and then calling her on the phone to 'confirm she received the email,' under pretense of having to communicate something important to the organization," said Mark Gazit, CEO of ThetaRay, "The adversary will typically stay on the line to make sure the employee launches the attachment."

Gazit said vishing attacks also include sending employees an SMS with a link to a phishing site or a spam message claiming that one of their payment cards has been blocked. "In the process of hastily responding to such a message, the victims end up divulging their banking credentials and PII to the attacker," he said.

Next section: Training is the patch

"Recommended For You"

Will Smith drops in to Defcon hacker conference Boost your security training with gamification