In the realm of IT security, when organisations have their very business on the line, the instinct for most companies is to simply throw money and technology at the problem, upgrading technical systems at every opportunity to keep pace with emerging threats.
But ignoring the human element of cybercrime would be naïve, Kaspersky Lab’s David Emm argues. The Russian firm’s Senior Security Researcher was addressing the modern day malware landscape in a speech at the Royal Holloway University during Kaspersky’s Cyber Security for the Next Generation conference (below) last week; his words carrying added weight given the presence of the world’s brightest technological talents, competing in the finals of Kaspersky’s cyber-security research competition for students.
Emm urged the prodigies to create an industry that looks closely at how cyber-criminals target individuals if they want to curb hacking and reduce risk. A report from Kaspersky this week highlighted an alarming rise in phishing attacks with an average of 3,000 users being attacked in this manner every day in the UK; three times as many as were recorded during 2011-2012. Significantly, phishing attacks prey more heavily on weaknesses in the individual than in network infrastructure – the trend thus demonstrating the growing importance of our behaviour in the process of cyber-attacks.
And where better to mine for these behavioural weaknesses than social media sites? “If you’re a pickpocket in town, you go where the crowds go, and modern hackers are the same,” said Emm. “If you think about Facebook as if it were a country, it’d be among the two or three most populous in the world. There are masses of people on social networks and therefore there’s a big pool of potential victims.”
Social networks provide the perfect platform for spreading malware, Emm says, with miscreants ceaselessly “trying to persuade people to click on something [example, right]. They spot fear in them, spread gossip, or do similar things to try and get people to click.” As victims will know, a single click can send the same malicious link to all of their ‘friends’ or ‘followers’, enabling the malware to spread like wildfire.
But Facebook, Twitter, et al go beyond simply providing some legwork for spreading threats. Perhaps more worrying, is the ability they give cyber-criminals to profile users and tailor even more convincing, customised attacks - known as spear-phishing.
Emm said there is no doubt “hackers use social network to harvest information about individuals… Facebook, Twitter, Tumblr and all the rest of them, they share what you do, and the danger is that we over-share - and the information is valuable.” Posting updates about where you have been on business trips can be dangerous, he warned, as hackers then have a reference point to dupe you with a malicious email. The route in can be even more direct too, as Emm noted how IT enthusiasts may write about which anti-virus software they are using, meaning cyber-criminals can simply write the appropriate malware to bypass that solution.
It is no coincidence that some of the most well-known cyber-breaches have come as a result of human error, rather than flawed infrastructure. The hack on security group RSA in 2011 sent shockwaves through the industry, in an incident that all began through an employee clicking on a malicious email attachment. "In many cases, the start point is the individual because hacking humans is easier than hacking computers," Emm comments. "You get exploits in applications and technical hacking, but we often overlook email.”
Social networks providing a direct gateway for hackers, or supplying data to enable penetration through email and other areas, is a problem only likely to grow over time. The more they allow us to share our lives and identities, the easier the job will become for cyber-criminals. Take Facebook Graph Search revealed this year, which pushes forward specific member profiles according to search requests about their hobbies, location, jobs and more. No wonder it was dubbed a “phishers’ dream” soon after its unveiling.
The onus is therefore on organisations to invest heavily in staff training to improve awareness over how employees are being targeted. While the new generation of security researchers, the cream of which were showing their promise at Kaspersky's competition last week, will have to think smarter than their predecessors when it comes to tackling cyber-criminal activity.
If you’re worried about your organisation being breached through employees rather than network infrastructure, why not turn the scenario on its head and discover how staff can be used to actively suppress cyber-attacks and for a comprehensive list of our Twitter guides and advice check out our Twitter guide for effective business.