Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Human, all too human: Security’s weakest link

Damien Manuel | June 30, 2016
As a species humans, are for the most part curious, somewhat altruistic and community or tribe minded.

This vendor-written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach.

We establish relationships based on trust and are eager to help the common collective. It's these qualities that have helped us advance, form societies and develop sophisticated technologies. When it comes to cyber security these qualities are also our downfall.

recent study at the University of Illinois found that around half of USB flash drives dropped in a car park by researchers will be picked up by passers-by and plugged in.

Those that did were neither technically incompetent relative to their peers nor particularly risk loving compared to the general population. As security professionals we may shake our heads in disbelief, but the subjects in the study are not foolish - they are simply human.

Appealing to our inquisitiveness, this straight-forward, thankfully mock attack, proved highly effective. Cyber criminals already know this and have been using psychology to exploit business for a long time.

As we learn more about how the human mind works, we naturally begin to understand primal triggers that can be harnessed or exploited for good or bad. Examples are reciprocity, authority, urgency / scarcity, distraction and identification (posing as an employee, pretending to know someone, establishing trust by talking about favourite meals on the menu at the local café etc....).

There has been a rise in whaling attacks in recent months. Since January 2015, the FBI has seen a 270 per cent increase in identified victims and exposed loss.

Spear phishing and whaling scams target senior staff from finance and accounting departments that are entrusted with sensitive employee information and undertaking money transfers.

An email that appears to be from a senior executive, perhaps a CEO or CFO, or a valued customer, is received requesting an urgent release of funds or important information.

Cyber criminals play on the long-term relationships between business associates. The staff members targeted are eager to help their workmate, only to find it was an imposter.

These generally time poor employees are only doing what they believe is best for their business; even if that means bypassing protocols in order to help. A single employee who is acting under pressure can easily create a gaping hole in your security architecture.

High profile companies have fallen victim to this sort of attack - with employees unwittingly wiring millions to foreign banks and releasing employee payroll data to criminals.

Cyber criminals can further fine tune their phishing attacks aided by the kind of information we share about ourselves on social media. They may send an employee a malware loaded email from the recipient's old school, sports club or former employer. Who wouldn't click to view the photos from their old school's reunion? It's only natural.

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.