Social engineering is here to stay, what can a CISO do to prevent it?
Every year at DEFCON, one of the most awaited events is at the Social Engineering Village. Once a theme is selected, the participants are provided a list of target companies with the goal of extracting the maximum possible information, and eventually “hack” into it. The participants scour the public-facing digital presence of the company to search for any aspect that can be leveraged: Is the company directory open and freely accessible? Are the company’s executive members on LinkedIn, Twitter, or other social channels? What are their social connections? More often than not, the ‘weakness’ ends up being the individuals that make the company- its employees. After the reconnaissance, participants begin the challenge live and on-stage. They call employees and try tactics - for instance, to add urgency to the matter, they morph the sound of a crying baby in the background and pose as an employee trying to get data.
Two years back, the SECTF (Social Engineering Capture the Flag) event at DEFCON targeted alcohol companies among others. One of the contestants was a woman posing as an IT admin of the New York branch of a popular alcohol manufacturer. She started the conversation with preliminary browser details of the target employee, but she ended up with information about the operating system and its version; setting the stage for a zero-day or ransomware attack. If the target was more cyber aware … things would have been different.
“Hello, XYZ IT department. How can I help you?”
That’s how the chase begins, and social engineering continues its damage, costing $4.47 million, according to the 2021 Cost of Data Breach report. A cursory glance at deep web portals reveals that social engineering is becoming a hot skill. "Need someone that has experience with social engineering over call, great pay," and, "Looking for a social engineering god that is from the USA and has a clear & normal adult voice. No little kids."
Build a cybersecurity culture where it is a shared responsibility
Today, cybersecurity is a $170 billion dollar industry with organizations investing ~$1,300 to $3,000 spent per full-time employee. Services such as Security Information and Event Management, Biometric systems, Data Loss Prevention among others are currently included in managing the ‘human’ aspect of cybersecurity. However, as the lines between home and office blur, the Tactics, Techniques, and Procedures deployed by cybercriminals are getting more creative. Since businesses have hardened policies in place, threat actors approach employees through other channels.
For example, over a four-month period in late 2019, at least two European aerospace and defense firms were targeted and compromised via LinkedIn. To initiate contact, cybercriminals approached the targets with fictitious job offers using LinkedIn’s messaging feature. In order to appear credible, the attackers posed as representatives of well-known, existing companies in the aerospace and defense industry. Once the contact was established, the attackers snuck malicious files into the communication via LinkedIn messaging, or email containing a OneDrive link.
What is the solution?
An employee is more likely to be trapped with attacks that aren’t traditionally covered in corporate cybersecurity activities. Today, people are over-stimulated and surrounded by content that is short, engaging, and always available on their smart devices. Since people-related cybersecurity practices have not completely adapted to the changes, we see damages reach beyond millions of dollars.
By 2025, millennials will constitute 75% of the workforce. They demand quick, efficient solutions without wanting to invest more time than necessary. What used to work in 2000 will not work in 2021. Keeping these in mind, cyber-awareness sessions should change from unidirectional or computer-based training sessions to a dynamic and real-time approach. Much like Instagram scrolling, “bite-sized” interactive cyber-awareness content facilitates higher content consumption and improves retention. In fact, research shows that the human brain can assimilate only 6 to 9 data points at once before a sudden and severe drop in memory and attention is observed. Gamifying cybersecurity with real-time leaderboards and engaging quizzes covering topics such as the latest TTPs used by cybercriminals in actual scenarios can help too.
As long as people are involved, social engineering will find new targets. The only defense is to be prepared and the preparation needs to be up to the mark! Organizations need to appreciate where their employees are before, during, and after work and modify their cybersecurity strategy accordingly. Social media, digital wallets and payments applications, cloud storage services such as Google Drive and DropBox, and even online shopping websites are regularly used as entry-points by threat actors carrying out social engineering reconnaissance. Why limit cybersecurity to phishing simulations and annual awareness sessions?
In 2020, the median age in India was just 28, compared to 37 in China and the US, and 49 in Japan. India’s ‘demographic dividend’ presents a unique opportunity to train people to be cyber-aware. If organizations modify their current approach, instead of being a drawback, our digitally native population will be a strength.
Rahul Tyagi
Rahul Tyagi is the co-founder of Safe Security, an Indian cybersecurity firm headquartered in Palo Alto, California.