The IT security industry is often rather fixated on Information and Technology. It’s perfectly understandable, of course: we're trying to protect the hardware, software and the information we put on them, as well as the services they provide.
But it's easy to forget that computer security threats aren't the work of some malevolent, robotic, entity. Cyber threats don't appear out of nowhere. At the beginning and right though development and attack, humans are involved. Recently, we profiled half a dozen types of attacker – our ‘Unusual Suspects’.
An attack might start with the Professional working in the digital shadows, those who are behind the scenes and making by far the most money from the damage they cause. Then you've got the Mules and Getaways who are on the front line, and will be the first to get caught when the law comes knocking.
There are Activists and Nation State Actors who are looking to change the world or steal information on behalf of their country's government. And then there’s the Insider giving away sensitive information accidentally or on purpose.
These are all just types of people we’ve recently identified as the key threats to businesses and without them, cybercrime can't exist.
Humans are the weakness
The same goes for defence. It's not the time of Skynet – companies aren't workplaces full of robots where everything is automated. Although technology is a necessity, mandatory even, there are humans pressing buttons or operating systems. And this is why in cybersecurity, no matter how expensive or advanced the technology is, humans will always be a factor and a crack in any reinforced armour.
This is why social engineering will always be a challenge. In the context of security, it refers to the psychological manipulation of people into performing certain actions or revealing sensitive information. If you've ever watched a movie about a heist, think of a criminal targeting a bank guard, distracting them with a random conversation, and proceeding to pickpocket their keycard which they use to break in.
In the IT space, one of the most common ways cyber criminals target employees of a company is through phishing. This is where they may attempt to draw sensitive information such as usernames, passwords and bank details from people through creating a fake email that looks trustworthy. It's also possible for these emails to carry links to malicious websites, which could lead to a user downloading something nasty on their system.
The threat of the insider
Employees will always be a weak spot, and social engineering is leading to more examples of 'unintentional' insider threat. The effects can be devastating – if a business carried the credit card details of customers, an employee clicking on an email leading to a website laced with malware could lead to a data breach, financial or reputational damage and the related fines or compensation claims that result.
At its core, unintentional insider threats are human problems that require human solutions. In certain cases victims may violate policies, but it may often be the case that the rules were not clear enough for the employee to know they were doing something wrong. And because humans are behind social engineering attacks, they are capable of evolving, matching the way the business world is using technology.
To mitigate against social engineering attacks, there needs to be security awareness and culture from top to bottom. This might mean ongoing training for employees to understand the threats, as well as the right policies and procedures in place. This helps employees understand the risk of social engineering and what role they have in preventing it happening. And this all has to be done in tandem with putting the right technology in place.
Defeating the Unusual Suspects
Defending against cyber threats is all well and good, but what about catching Unusual Suspects and the perpetrators of social engineering attacks? This is difficult, because they use sophisticated tactics to escape detection – they are often international, and use secure software to escape detection to remain anonymous, often routing communications through multiple countries to escape detection.
Fortunately it’s here where human fallibility is a good thing – criminals will make mistakes and leave trails that sophisticated analytics and forensics can pick up.
And don’t underestimate the power of human ingenuity and doggedness – thanks the efforts of law enforcement and the security industry working in tandem, we’re finally getting to a point where the investigation of online crime isn’t as much of a mystery as it has been in the past.
Dr Adrian Nish, Cyber Head of Threat Intelligence at BAE Systems
Image source: Shutterstock/Benoit Daoust