One of the foundational precepts of Stratfor's security analysis is that as security measures become more effective, people increasingly become the weakest link in a security system. For example, when it comes to the U.S. border with Mexico, as walls have been lengthened and checks at entry points have grown more sophisticated, smugglers have increasingly resorted to bribery
to circumvent the tighter security. Likewise, "office creepers" and other criminals
who target workplaces have figured out ways to bypass the tighter access controls and other physical measures instituted by companies. Perhaps they will enter through a door blocked open by a worker taking a smoke break or follow a legitimate employee through a secured entry by pretending to have misplaced their credentials. This same principle applies to cybersecurity. As greater technical barriers are enacted to secure computer networks against external hacks, their human users have become the weakest link in cybersecurity.
An Old Threat
First, a disclaimer. Those attacking information systems have always singled out the people with access to their targets. From the days of the phreakers looking to make free long-distance calls and the first computer hackers, people with access to information about phone and computer systems have been targets of social engineering attacks. Those approaches rely on a combination of charm, psychology and sociology to get the required information, rather than on technical hacking. In an often-used metaphor, rather than pick the lock on a door, social engineers talk their way into the building or persuade someone to tell them where the spare key is hidden.
There are many ways to pull off a social engineering attack. Some scams get computer users to provide their usernames and passwords or convince system administrators to reset passwords. Social engineers have become adept at exploiting human nature, social norms and respect for authority in their efforts to get people to comply. Their continued ability to obtain login information confirms the viability of this approach. New forms of social engineering scams, such as the "fake president fraud,"
continue to pop up. In this scheme, scammers send an email appearing to be from the CEO or another senior company officer to an accounts payable executive asking for the urgent and secret transfer of funds.
Many online fraud schemes, such as those from a person claiming to be from the IRS or the FBI (or a Nigerian prince), rely more on social engineering than on technical hacking skill. So, in this regard, not much has changed since the days of the phreakers. Many so-called hackers are really confidence tricksters using social engineering rather than coders writing malware. These days, there are far fewer people writing the code for hacking tools than people using them.
Anybody for Phishing?
Another type of person-focused cyberattack is phishing
, the attempt to persuade a user to click on a hyperlink or to open an email attachment that would end up installing malware on his or her device. In many cases, the malignant software can migrate from an individual computer to other systems connected to the same network. Malware allows hackers to access the files on an infected computer, to use the infected systems as part of a botnet
, or increasingly, to deliver ransomware
, software that encrypts the data on an infected system, allowing hackers to demand payment before they will deliver the key to unlock the encryption.
While many phishing attempts are rather awkward and not difficult to spot once someone has been warned about the tactic, a more refined technique called spear-phishing is far more insidious. This highly targeted form of phishing uses an advanced social engineering approach to deliver malware. The spear-phishing email will refer to its target by name and purport to be from a friend, co-worker or superior — someone the target trusts.
Recently, a sophisticated spear-phishing scheme came to light involving an Iranian-based hacking group that established a fake social media account in the persona of an attractive woman. The attackers used the account to connect with an employee of a targeted company and eventually strike up an online friendship. Through the fake account, the hackers perusaded the employee to set up a website for the woman's business. When the hackers, in the guise of the female "friend," sent a file to his work email account, he opened the attachment. The malware within infected his company's network, allowing the hackers to gather sensitive information on at least six of the firm's clients. This "virtual honey-trap" operation demonstrates the variety of social engineering approaches that can be used to trick people into unwittingly compromising cybersecurity.
The Inside Threat
Not all human threats to cybersecurity involve unwitting victims. The cases of massive data dumps involving Chelsea Manning, Edward Snowden and others are reminders that malicious insiders
also pose a significant security risk. Indeed, today's technology makes it easy for someone to walk out the door carrying a large amount of data. An 8-gigabyte thumb drive can hold over 15,000 100-page Microsoft Word documents, and external hosting sites such as Dropbox can hold many times that. That is a far cry from the days of smuggling a paper document out of the office in one's undergarments.
Ideology can motivate insider threats. Such insiders could become opposed to some aspect of a company or organization during their employment, or they could intentionally join a firm or group that aims to harm it. The same holds true for financially motivated insiders, far more common than ones driven by ideology. There have been many cases of employees trying to sell proprietary information for personal gain or giving that information to a competitor in exchange for a job.
But not all insider threats are self-motivated. As I've previously noted, it is quite dangerous to ignore the espionage part of the term "cyber espionage."
A human intelligence operator would have little difficulty recruiting inside agents to assist in getting data — or accessing a computer network. Using traditional human intelligence approaches involving money, ideology, compromise (sex) or ego, it would be easy to find a willing partner in most companies or organizations. As I often say in public speeches, if I were to run an attractive honey trap aimed at your information technology department, I could quickly get full access to your computer network. This vulnerability raises the question about how much access companies give IT staff members and what kinds of internal controls are in place to ensure they don't misuse their privileges.
But, of course, IT staffers aren't the only targets. Other employees can be recruited to make a seemingly innocent click on a phishing email or to apparently naively connect a malware-infected flash drive to their corporate computer. They could later claim they found the drive on the break room floor. Insiders can also provide hackers with a detailed understanding of company culture and relationships, including copies of past emails that can be used to craft convincing spear-phishing attempts. For example, knowing that Bill frequently sends Ned spreadsheets of production numbers and that Ned calls Bill "Billy" could result in a spear-phishing email likely to be successful. While most mass downloaders pose a one-time threat, a recruited mole could compromise cybersecurity over an extended period.
Sadly, in several recent hacks, it has emerged that data networks were compromised simply because someone didn't take the time and effort to install updates intended to patch weak spots in the operating software. While some sophisticated hackers have access to unique zero-day vulnerabilities, ones unknown to the software vendor and thus not patched, for the most part, hacking tools are designed to exploit identified weaknesses, and this limits their shelf life against updated software. In the end, the failure to apply patches is simply one more way in which humans leave networks open to cyberattacks.
Most assaults on computer networks exploit negligence or gaps in security, but as those holes are sealed and targets become harder to exploit technically, attackers will focus on the many vulnerabilities presented by the human element.