How Insider Threats are Realized
By Daniel Jetton, VP Cyber Services, OBXtek, Inc.
While technical security problems can be dealt with through technical solutions, people must be approached in a different manner. The insider threat is one of the greatest liabilities in cybersecurity today due to the unpredictability of humans and their interactions with computers and networks. Humans account for over 90% of security incidents and the genesis of these incidents and breaches originate from computers, user mistakes, infections, resentment, fraud, and carelessness.
A popular way of manipulating people from outside of an organization is to make them an insider threat using social engineering. Social engineering (SE), considered mostly an art but involving some science, demonstrates how people can be manipulated using a minimal amount of information. A confidence game based on human nature, social engineering pits human nature against security. Social engineering is arguably the costliest cyber-security issue today, but it is also the most preventable. Untold millions of dollars are lost every year due to social engineering with $3.7 million a year being spent on phishing alone for the average 10,000-person company.
Social engineering (SE) is defined as the deliberate application of deceitful techniques designed to manipulate someone into divulging information or performing actions that may result in the release of that information. During the engagement, victims are not aware they are being manipulated or that their actions may cause harm to themselves or their organization. By way of subterfuge, social engineers (SEs) convince victims to act against their best interests or against the interest of their organization. Unlike bribery or threats, a victim’s motivation is based on trust and not necessarily reward or violence.
SE has been around for millennia. The Trojan Horse, of Greek mythology, wheeled into the secure gates of Troy was a SE (trust) ploy. In 1849, Samuel Williams, the original “confidence man” as he was known, conned the naïve into giving him their valuables by simply asking people to trust him with their jewelry until the next day.
In the early 20th century, Benito Mussolini was swindled out of $2 million dollars for phony rights to Colorado mining lands. Then in the 1960s, Frank Abagnale made a living using fake personas while kiting checks. It wasn’t until hacker Kevin Mitnick arrived on the scene in the 1990s that the term “social engineering” entered into the popular lexicon. Mitnick used the telephone as a tool to glean inside information needed to penetrate a network.
Professional penetration tester, Chris Roberts of One World Labs states that “Whether breaking into buildings or slipping past industrial-grade firewalls, my goal has always been the same: extract the informational secrets using any means necessary.” When given the mission for doing a penetration test for a high net-worth client, Roberts used the internet to find a phone number and an email the client had posted in a public forum for concert tickets.
The office number for the client (in this instance) allowed Roberts to gain access to personal cell phones numbers, mortgage info, and a home address by posing as a publicist on the phone. According to Symantec, bad actors aren’t targeting Windows vulnerabilities for the exploit, they are going after people. Approximately 3% of malware used by perpetrators is used to exploit a technical glitch. The other 97% of malware is used to trick or as a ruse relating to a social engineering scheme.
91% of breaches are the result of phishing. Phishing has been around for quite a while and maybe the most common type of social engineering. Phishing uses threats, fear and a sense of urgency to motivate and manipulate victims to act immediately on spoofed websites or sites that have been shortened or embedded with links to suspicious websites. Ultimately, the actions, if successful, will provide the social engineer with personal information like names, addresses, and credit card numbers. Phishing emails can run the gamut from mass-produced, low-quality emails (i.e. spelling errors and obvious misinformation) to focused emails (spear phishing) with detailed information and professional looking logos and signatures.
A McAfee Phishing Quiz found the most successful phishing email was spoofed from the United Parcel Service (UPS). The logo and branding matched and the website URL shown as UPS.com. Of note was the fact that the email contained only one malicious URL link. The first URL was a bona fide package tracking link. Only the second one, which encouraged the download and opening of an “invoice” (malware), was bad.
As we know, phishing, the (mostly) email-based attack, gets its power from people clicking on an embedded link within an official-looking email that can take them to a nefarious site or require victims to enter personal information under the guise of responding to a query from their bank or trusted institution. Vishing, phishing’s lower-tech cousin, uses the telephone to try and extract personal information from potential victims. This technique precedes phishing and dates back to the days when a social engineer attempted to get credit card numbers from trusting victims.
Pretexting relies on a social engineer’s back story or scenario to gain the victim’s trust. By using small amounts of actual, personal information (put together from various web sources) a social engineer can gain enough confidence to extract more information from the victim. SEs may advance their attacks to convincing victims to perform malicious acts without their knowledge to exploit a company or business. These attacks can be done online or in person. Impersonating a janitor who “lost his keys” is a perfect gambit for a social engineer to gain access inside a building or room for a seemingly authorized purpose.
Quid Pro Quo engagements offer an exchange of goods or services for information. Recent attacks include fraudulent Microsoft service desk tech impersonators who cold-call users offering to walk a victim through the process of removing phantom malware. These attacks can end up with the social engineers having access to a victim’s computer and personal information or put them in a position where they can lock and encrypt the victim’s information in order to ransom it for cash.
Baiting, like phishing, is based on a promise or likelihood of reward for cooperation. This type of SE is most common among freeware offers that entice users to enter personal information like name, addresses, emails, credit card numbers or banking information in exchange for the free product.
The prevalence of social engineering attacks suggests that not only are the social engineers becoming more devious and improving their toolbox but the human factor or “human firewall” is a continuous inherent weakness of a victim’s inability to distinguish between bona fide requests and malicious communications. That being said, the obvious solution is knowledge.
Mitigation of social engineering risk can best be done through awareness and training, focusing on the people and the processes. Companies should invest in training to make users aware of the potential threat (techniques, ploys, and pitfalls) and educate them about how to deal with SE situations. Awareness and training combined with metrics help determine how close a company is to meet its educational goal.
Employees who fail the tests or show elevated SE risk based on metrics should be retrained. Unfortunately, even though training, measurement and follow up are proven effective, they are not widely used. The Enterprise Management Association discovered that 56% of personnel had no SE training of any kind.
Personnel needs clear boundaries established by guidance, policies and standard operating procedures from their employers. Thor Olavsrud, IT author and senior writer for CIO magazine, recommends some basic measures. These measures include education on the latest hacks/techniques, awareness of how important the information being released is and knowing which information is the most prized to bad actors. If there is data that can be monetized, it is valuable and worth a social engineering attempt to procure. Proper education and verification for employees will make them aware of the techniques used against them and train them to challenge would-be impersonators.
Personnel needs to change their paradigm of information. Information should be protected like the valuable resource that it is. Additionally, there should be no punitive measures against victims. Punitive measures create an atmosphere where employees will not share incidents and will, in fact, hide potential breaches for fear of employer retaliation.
Lastly, a “need to know” mindset is important for employees to implement. Asking “does this person need to know?” when fielding unsolicited requests are vital to avoiding SE losses. Most of the time if an employee refers to a higher power (e.g. telling the caller they need to ask their manager or check the regulation before providing that info) a social engineer will break off and try an easier target.
Employer processes and policies provide a baseline of knowledge for the employee. To be effective they must be known by every user within the enterprise through education and training with consequences for violating the policies. To ensure a team approach, the policies and processes must also be distributed and embraced by top management as opposed to an edict from the IT department.
Typical policies include 1) procedures for verifying the identity of users to the IT department and IT personnel to users (secret PINs, callback procedures, etc.); 2) policies governing destroying (shredding) of paperwork, disks and other storage media; 3) prohibiting divulging passwords, to whom passwords can be disclosed and under what situations and procedures to follow if someone requests release of passwords; 4) requirements that personnel log off or password-protect their desktop when away from keyboard; 5) physical security processes preventing outsiders accessing systems for nefarious purposes; and 6) strong password rules.
The Proactive Defense
In addition to training and definitive policies, a sense of employee ownership is imperative. If employees begin to take a personal stake in the welfare of their company, they will begin to make fewer errors and be more vigilant. Make no mistake, the technologies of penetration testing, patching, firewalls and the like are imperative to a proactive cyber-defense but without the active engagement of company personnel against social engineering attacks, the biggest liability will remain.
About the Author
Daniel Jetton MBA, MS, MA, CISSP, CAP, PMP is the Vice President of Cyber Services for OBXtek, Inc., an Award-Winning Government Cybersecurity Service Provider providing Information Technology Engineering and Support, Program Management, Software Development, Testing, and Information Security services to the Federal Government. He is responsible for leading and defining cyber strategy while ensuring security, defense and risk mitigation for his clients.
Mr. Jetton is a former Army Medical Chief Information Officer with over 25 years of experience in cybersecurity, management, strategic planning, and project management.
Daniel can be reached online at (firstname.lastname@example.org). For more information on OBXtek, please visit their website at https://www.obxtek.com/aboutus