In my last post, I went on about how the real perimeter of your network is at your users’ workstations. The actions that humans take when they interact with the internet are key to keeping your network secure, and safeguards like email filtering, web filtering, and behavioral anti malware detection and blocking are really important to help when they don’t make the right choices.
But if you really want to secure your inner perimeter, technology is only part of the answer. Effective attackers know that it is much easier to go after the attack surface of the human mind than that of many applications. If you can train your users to recognize when attackers are targeting them and not to fall for the bait, the resulting protective benefits will be immense.
In the old days, attacks on humans were quite simple and crude. We all remember the days of the Nigerian Princes offering us untold riches. These rather pathetic scams still go on and are surprisingly effective at relieving stupid and greedy people out of their life savings. However, today’s attackers are much more subtle and successful at targeting businesses run by smart people and relieving them of hundreds of thousands or millions of dollars.
A recent example from the pages of the Wall Street Journal illustrates an all too common story:
- Step 1: Attacker manages to get hold of company CEO’s email credentials, probably via phishing and probably unprotected by two factor authentication.|
- Step 2: While CEO is on a business trip, the attacker logs in to his email, pretends to be the CEO, and asks his assistant to wire funds to various bank accounts. The assistant, seeing that the emails came from the CEOs account and that they showed “intimate knowledge” of the business’ bank accounts, makes the transfers.
- Step 3: The attacker absconds with 450,000 USD and the truth comes out only when the assistant makes an off hand remark about having taken care of “the wires.”
The assistant who made the transactions was NOT stupid. He or she saw an email from the boss which looked legitimate and acted on the instructions. He or she trusted the email, which came from the CEO’s real email account. There was nothing that the assistant could have pointed to in the email itself that was a red flag.
The lesson here is one that many companies have learned after losing large amounts of money – you cannot trust email alone for setting up wire transfers (especially of large amounts). This type of attack (called business email compromise) is a well known pattern used by bad guys to make lots of money.
The only ways that the assistant could have stopped this attack in its tracks were:
- If the company had a strict policy of requiring telephone confirmation of any payment related activities before a transfer was made.
- If the assistant had been warned about this particular attack pattern in advance, recognized the context (wire transfer + boss out of country and asleep in China) and acted to confirm the transactions.
But they didn’t. The assistant, wanting to do their job quickly and efficiently, and not having the information they needed to put the request into context, didn’t have a chance.
Security professionals have three really important jobs to protect users and companies from attacks like this:
- First, when an attack pattern becomes widespread, like the business email compromise, they need to alert and educate their colleagues about the warning signs and provide a way for the targeted employee to escalate the situation to someone who can help.
- Second, they need to work with their companies to develop policies and procedures (2 factor authentication on email, no wire transfers based on just an email) which provide a backstop for when step 1 isn’t enough.
- Third, they need to make sure that employees are empowered to stop and question instructions that they get in emails from authority figures if they seem to match a known attack pattern or just don’t “smell right.”
Flexibility is key here – you are not going to be able to anticipate every social engineering attack technique – the field is evolving as we speak, as evidenced by this very recent blog post. This means that we need to keep tuning our technical protections AND educating our users about how to evaluate emails for deeper red flags than just bad grammar or sketchy URLs.
Securing humans is hard – we have to have a certain level of trust in others to allow society to function. The successful CISO has to spend as much time on this complex attack surface as on others. In my next few posts, I will describe some ways to make your organization more resilient against human targeted attacks.