Successfully defending against socially engineered phishing campaigns means addressing both technological and human vulnerabilities. Doug Olenick reports.
When it comes to finding a scapegoat after a company falls victim to a spearphishing scam, pointing toward the human being in the room typically isn't unjustified or unfair.
Unfortunately for the human race, this kneejerk response to the longtime and frequent security question – who's to blame? – has been mostly correct because as a species we're challenged when it comes to deciphering good from evil emails. Couple the basic human desire to be helpful, along with the increasingly powerful skills wielded by cybercriminals in their attempt to hack into an organization, and the outcome is predictable.
Socially engineered messages appeal to a very base human behavior and that is why it is such an effective strategy, says Patricia Wallace, a psychologist and former senior director of online programs and IT, Center for Talented Youth, at Johns Hopkins University.
“Social engineering causes people to drop their cognitive defenses by containing strong urgency messages,” she says, explaining that is why these messages often ask for help or touch on a topic that is quite personal to the recipient.
Whether it is an unsuspecting office worker at Stanford University's payroll provider or someone at Snapchat, too many people just cannot help clicking on an email link, particularly one that has been carefully crafted using every social engineering tool in the box.
Vidur Apparao, CTO, Agari
Andy Feit, head of threat prevention marketing, Check Point Software Technologies
Michael Lamberg, CISO, OpenLink Financial
Shalabh Mohan, vice president of product and marketing, Area 1
Patricia Wallace, psychologist; former professor, John Hopkins University
Most measures designed to defend against socially engineered attacks rightly revolve around workforce education. The idea is to teach people to take a hard look at an email, not only before clicking on it, but prior to following any instructions it might contain.
However, teaching the average worker the dos and don'ts of cybersecurity should not be the only bullet in a company's arsenal as a growing number of technical solutions are coming on the scene. But starting with those individuals on the front line is the most logical – and difficult – place to begin building a corporate defensive perimeter.
“This is the largest issue from a security perspective because everyone on the planet can be duped,” says Michael Lamberg, CISO of OpenLink Financial, a Uniondale, N.Y.-based software and services business.
There is no doubt that socially engineered attacks work. A quick look back at the last few months shows a corporate landscape littered with victims hit with W-2 scams, ransomware and malware with almost all of them being enabled by a human making a mistake. These include major hospital chains, like MedStar Health, Hollywood Presbyterian Medical Center, Seagate, Sprouts Farmers Market and Snapchat, to name a few.
Verizon's 2016 “Data Breach Investigations Report” revealed the power of a properly socially engineered phishing attack. The data, which was derived from sanctioned phishing tests that had eight million total results, showed that 30 percent of phishing messages were opened by the target with 12 percent moving on to click the malicious attachment or link. This figure is up from 2014 when only 23 percent opened the email with 11 percent clicking on the attachment.
Not only do many people click on these emails, but they do so quickly. Verizon found the median time for the first user of a phishing campaign to open the malicious email is one minute and 40 seconds, and the median time to the first click on the attachment was three minutes and 45 seconds.