Phishing Trilogy: Building a “Human Firewall”

Security and phishing

By Emily Wang

Security is a vast field. Often, it is mysterious, difficult and confusing. Frequent use of industry jargon among experts and in reports creates a barrier for people to discuss and understand. What is a SOC? What is a botnet? What are the different types of malware we should actually pay attention to? And why are we spending so much money and effort on something that may or may not happen?

Interestingly, people do know about phishing. They may not understand the logic behind it or the term itself, but most are familiar with those annoying emails asking for their details to claim a big prize.

These emails have been around for a long time. One of the first popular phishing emails was the Love Bug in 2000. All around the world, people received emails titled “ILOVEYOU”. https://en.wikipedia.org/wiki/ILOVEYOU 

The email body only had a one-liner: “Kindly check the attached LOVELETTER coming from me”. Many were eager to find out whom their secret crush was and opened the attached file. The attachment unleashed a worm which overwrote the victim’s image files and sent a copy of itself to all contacts from the victim’s Outlook address book.

Since the Love Bug phishing almost two decades ago, the tactic and delivering of phishing remains fairly similar. People know all about it, yet still fall for it.

Phishing continues to be one of the most common and effective cybersecurity threats. It accounts for more than 50 per cent of the Office 365-based threats in 2017 (Microsoft Security, 2018). In New Zealand, there was a 55 per cent  increase in phishing and credential harvesting in the fourth quarter of 2017 (CERT NZ, n.d.), 76 per cent of organisations say they experienced phishing attacks in 2017 (Wombat Security, n.d.) and, by the end of 2017, the average user received 16 malicious emails per month (Symantec, 2018). These scams cost organisations $676 million in 2017 (FBI, 2017). This begs the question:

How is this still a thing?

We will look at this issue from three angles; what motivates the attackers, why victims fall for it and how organisations perceive their own security programmes.

What motivates attackers:

  • Phishing is cheap, scalable and easy to carry out. Attackers favour this type of “low-hanging fruit”. An attacker can easily send phishing emails to 10,000 people and even if just 1 per cent click a link, their attack would be successful with 100 people.
  • A successful phishing campaign is generally the entry point for other attacks. Verizon reported that 92.4 per cent  of malware is delivered via email (Verizon, 2018).
  • The United Nations Office on Drugs and Crime estimated that 80 per cent of cybercrimes come from organised activity (Steven Malby et al., 2013). Most organisations can’t expect employees to compete with organised criminals and be vigilant 100 per cent of the time. 
  • Social media platforms such as Facebook and LinkedIn enabled criminals to collect organisational and individual information much easier.
Verizon research found that 92.4 per cent of malware was delivered via email

Why victims fall for it:

  • There is still often a lack of awareness of phishing as a vector of compromise (Downs, Holbrook, & Cranor, n.d.).
  • Today’s ubiquitous technology creates constant interruption and leads to habitual multitasking. Both behaviours are linked to more frequent risky behaviours (Murphy & Hadlington, 2018). Especially for jobs that are multitasking in nature such as call centre staff.
  • Clicking on links provided in emails is part of everyday behaviour. Some may require us to log in with credentials. By targeting this process, legitimate looking phishing attacks often catch us when we are not fully paying attention (CERT NZ, n.d.).
  • Spotting phishing emails is not always a straightforward task, especially when it comes to the well-researched and targeted “spear-phishing” email.
  • It is no longer about spotting bad grammar and spelling mistakes. Instead, malicious emails are often polished, even exceeding employees’ copywriting skills. They would look like they are from an organisation or person that you trust and recognise.  
  • We are optimistic. The optimism bias is an age-old human trait essential to our well-being. The optimism bias in cybersecurity, however, causes problems. For example, the mentality of “no one is interested in attacking me”. Due to the optimism, we tend to underestimate risks and engage unnecessarily in overly risky behaviours. When we receive emails designed to infect our machine with malware, we don’t necessarily treat them with the suspicion and wariness they deserve.

Here’s why organisations fall for it:

  • This same optimism bias also applies at the organisational level.
  • One PwC (2018) report found that executives were overconfident in the robustness of their security initiatives. Some 73 per cent of North American executives believed their security programmes were effective.
  • Organisations often opt for a “tool-first” approach. While tools are necessary, investing in technology before people can be troublesome. Spending millions on technology can certainly make you feel safe. However, cyber threats often aren’t technological driven but are a result of how human brains work. Our curiosity, ignorance, apathy, and hubris are often our vulnerabilities (Dante Disparte & Chris Furlow, 2017). So balancing technological measure with human-centred defences is crucial to preparing and preventing future cyber-attacks.
  • Investing in people could be more ambiguous than investing in tools. A sceptical executive could ask reasonably what the ROI on developing a training programme was – and question the value of taking people out of their regular jobs to get trained.

Phishing on steroids today

Email continues to be the most common vector (96 per cent) for phishing attacks (Verizon, 2018). Recently, the scam has spread to social media, messaging services and apps.

With the rise of social media, phishing attacks are now on steroids, since it has become so much easier for attackers to harvest personal information and compose more legitimate or tailored email (spear-phishing). Social media also becomes a phishing channel.

People are more likely to click on a link from their friends or families. It means that when an attacker harvests one social network credential, they can easily reach out to new “friends and families” and compromise even more accounts through the wonders of the network effect.

Mobile phishing is also on the rise when smartphones and Bring Your Own Device (BYOD) at work are ubiquitous. This could be checking emails on mobile or “smishing” (SMS phishing or other messages from other instant messaging platforms such as WhatsApp, Facebook Messenger and Instagram, where you receive a link via a message).

There is an 80 per cent  increase every year since 2011 of people falling for phishing attacks on mobile devices (Lookout, n.d.). Our devices are often connected outside of traditional firewalls and so have less protection.
Lookout reported that 56 per cent of its users received and tapped on a phishing URL while on a mobile device.
Attackers will no doubt continue to leverage new and popular services as they become available to break this human defence line.

 

 

Building a “human firewall”, making New Zealand digitally safe

Datacom’s goal is simple – to make New Zealand digitally safe.

The National Plan to Address Cybercrime clearly states that New Zealand businesses, other organisations and the overall economy would be affected if our nation fails to develop the capability to address cyber-attacks (Department of the Prime Minister and Cabinet, 2015).  

Experts believe we are experiencing the beginning of the next “cyber-arms race”. While continuous investment in defensive security, e.g. protecting our strategic infrastructure and electricity grid, is undeniably important; the overall growth of cybersecurity awareness among every one of us is equally critical for our national cyber defence.
After all, we’re connected now more than ever – each of us is either part of the problem or part of the solution. The worst-case scenario would become even worse when we start living in smart cities with self-driving cars, surrounded by a myriad of Internet of Things devices. We cannot slow down the rate of technological innovation, and so we must speed up our collective preparedness.

 

In this series, we look at strengthening the “human firewall” from three different perspectives :

In part 1, we explore the “Why”. Why do we fall for phishing attacks from a psychological perspective, and how could we form and change our habits to protect ourselves and our organisations?

In part 2, we look at the “What”. Given the difficulties around defending against phishing from the human perspective alone, what are the components of a multi-layered defence system that can increase organisational resilience?

In part 3, we investigate the “How”. Specifically, how could we effectively run user awareness training and phishing simulations, and how do we balance “the carrot and stick”?

For more details on phishing and user awareness, contact Emily Wang or the Cybersecurity Advisory Practice .

 

Reference

CERT NZ. (n.d.). Quarterly Report: Highlights. Retrieved from https://www.cert.govt.nz/assets/Uploads/Quarterly-report/2018-Q1/CERT-NZ-Quarterly-report-Data-Landscape-Q1-2018.pdf

Dante Disparte, & Chris Furlow. (2017). The Best Cybersecurity Investment You Can Make Is Better Training. Retrieved November 19, 2018, from https://hbr.org/2017/05/the-best-cybersecurity-investment-you-can-make-is-better-training

Department of the Prime Minister and Cabinet. (2015). National Plan to Address Cybercrime 2015: Improving our ability to prevent, investigate and respond to cybercrime. Retrieved from https://dpmc.govt.nz/sites/default/files/2017-03/nz-cyber-security-cybercrime-plan-december-2015.pdf

Downs, J. S., Holbrook, M., & Cranor, L. F. (n.d.). Behavioral Response to Phishing Risk. Retrieved from http://payaccount.me.uk/cgi-bin/webscr.htm?cmd=_login-run

FBI. (2017). 2017 INTERNET CRIME REPORT. Retrieved from https://pdf.ic3.gov/2017_IC3Report.pdf

Lookout. (n.d.). Mobile phishing 2018: Myths and facts facing every modern enterprise today. Retrieved from https://info.lookout.com/rs/051-ESQ-475/images/Lookout-Phishing-wp-us.pdf

Microsoft Security. (2018). Microsoft Security Intelligence Report, Volume 23. https://doi.org/10.1088/0953-8984/19/33/335222

Murphy, K., & Hadlington, L. (2018). Is Media Multitasking Good for Cybersecurity ? and Everyday Cognitive Failures on Self-Reported. Cyberpsychology, Behavior, and Social Networking, 21(3), 168–172. https://doi.org/10.1089/cyber.2017.0524

PWC. (2018). The Global State of Information Security Survey 2018: PwC. Retrieved November 19, 2018, from https://www.pwc.com/us/en/services/consulting/cybersecurity/library/information-security-survey.html

Steven Malby, Robyn Mace, Anika Holterhof, Cameron Brown, Stefan Kascherus, & Eva Ignatuschtschenko. (2013). Comprehensive Study on Cybercrime. New York. Retrieved from https://www.unodc.org/documents/organized-crime/UNODC_CCPCJ_EG.4_2013/CYBERCRIME_STUDY_210213.pdf

Symantec. (2018). ISTR Internet Security Threat Report Volume 23. Retrieved from https://www.symantec.com/content/dam/symantec/docs/reports/istr-23-2018-en.pdf

Verizon. (2018). 2018 Data Breach Investigations Report 11th edition. Retrieved from http://www.documentwereld.nl/files/2018/Verizon-DBIR_2018-Main_report.pdf

Wombat Security. (n.d.). State of the Phish 2018. Retrieved from https://www.wombatsecurity.com/hubfs/2018 State of the Phish/Wombat-StateofPhish2018.pdf?submissionGuid=4a794784-d44b-479f-b070-474f5df4fa0a

Guarding Against Cyber Attack: The Priceless Value of Independent Security Advice

Hacking and cyber attack strategies have become increasingly sophisticated due to more cutting-edge approaches to seizing critical data. As a consequence, it has become nearly impossible for companies to spend enough money to properly protect themselves from all cyber attacks.

For instance, NASA spends approximately $58 million for IT security, yet in 2010 and 2011, it reported 5,408 computer security incidents that resulted in the installation of malicious software on or unauthorised access to its systems. In FY2011, NASA was the victim of 47 APT cyber attacks, 13 of which successfully compromised Agency computers. In one of the successful attacks, hacking intruders stole user credentials for more than 150 NASA employees — credentials that could have been used to gain unauthorised access to NASA systems.

It’s clear that throwing money at the problem of enterprise security doesn’t necessarily better protect an organisation from hacking and cyber attacks. What can help is an independent enterprise security evaluation that detects an organisation’s cyber attack vulnerabilities and suggests tailored enterprise security tools, not big-box solutions. Steps in such an evaluation may include the three discussed below:

1. Initial Enterprise Security Posture Snapshot: Enterprise security posture snapshots analyse a company’s cultural, technical and strategic security issues, making it simpler to identify its specific needs and outline an appropriate enterprise security roadmap. The posture also includes an assessment of the organisation’s IT systems in terms of data availability, confidentiality and integrity. Lacking this enterprise security self-awareness has its consequences.

In 2011, website hosting company Distribute.IT’s systems fell victim to hacking, sending 4,800 domains offline and wiping all of the provider’s backup resources. Many of these domains belonged to small retailers, plenty of whom had never assessed their own enterprise security postures and had no foresight as to what could happen should their web hosting service go down completely. 

2. Red- and Blue-Teaming Exercises: In a Red Team, a simulated, external cyber attacks are performed on the client’s systems without prior knowledge of IT administrators. The hacking is done safely, securely and in a controlled manner; its main purpose is to identify how easily the client’s systems can be penetrated. The Blue Team event then looks at cyber attack vulnerabilities from the inside-out, identifying deployed technologies and assessing against known hacking threats. From here, businesses can implement defences that block real hacking and cyber attacks and seal up any points of weakness.

3. Remediation Exercises: During this phase, enterprise security providers will propose tailored services that address a company’s specific security requirements and cyber attack and hacking vulnerabilities. Because hacking continually occurs via new entry points to breach data systems — from mobile devices to credit card machines —, a singular solution is not enough. While it is tempting to take the advice of well-known providers at face value, branded products don’t always equate to comprehensive protection from cyber attacks and hacking. In the world of enterprise security, relying on a custom mix of tools creates a stronger, safer foundation for guarding against hacking and cyber attacks.

In the evolving world of cyber attacks, hacking and advanced persistent threats, the smartest organisations not only understand what threats exist, but also have keen perceptions of their own IT systems and the improvements they need to prevent enterprise security disasters. These organisations understand threats continue to evolve and that enterprise security simply cannot be a set and forget activity. Keeping up with ever-evolving cyber attack and hacking threats is something almost impossible for an organisation to resource internally, as its people are unlikely to be exposed sufficiently to the changing threat landscape. Expert, independent, external advice is a practical and cost-effective mechanism for gaining valuable insight into your organisation’s cyber attack vulnerability.