Phishing and the Human Attack Surface

So what is a hacker to do if corporate security defenses are becoming more effective? Companies are adopting more sophisticated multi-layered security technologies and processes.

Business are ramping up their investment in their security to protect themselves. Two-factor authentication, quicker operating system patching, firewalls, endpoint protection everywhere, email and web secure protection – the sophistication of advanced security measures are increasing in their effectiveness.

increasingly cybercriminals are going after the softest target – me and you. The human attack surface, with its wildly variable and fallible behaviour.

To illustrate how the human factor is the cyber attacker’s holy grail, here are some fun (not) findings from proofpoint’s Human Factor 2018 Report.

  1. Social engineering is the hacker’s key to phishing success. Not technology. A critical point, as social engineering is person-to-person. It  neatly sidesteps all those expensive advanced security technologies and engages directly with us folks. Humans who are gullible, easily deceived, under-trained, probably tired, busy, certainly curious, want to help, and have fingers that left-click quicker than their brain engages.
  2. A fun proofpoint recommendation: Use phishing simulations to see who in your business falls for it. Find out who clicks then make an example of them (ok proofpoint didn’t say that last part).
  3. Business Email Compromise (BEC)  almost totally relies on analogue person-to person strategies. None of the usual signs such as malicious links and attachments. The email message doesn’t get caught by standard security filtering, and instead uses convincing language to trick the recipient to take the desired insecure action (the requisite “bean spillage” i.e. pay a invoice, transfer money). Though, phone and other communications are commonly used during attacker’s research phase to uncover the key players in an organisation. It’s social engineering to find names and roles – most often C-level and finance department. Any action that persuades the victim the disclosure of sensitive information and sending of money is legitimate and authorized.

Human nature is always the biggest vulnerability. Check out the Human Factor 2018 Report from proofpoint here.