Within the last few years, there has been growing popularity in social engineering attacks. We have experienced a change in both end user and attacker behavior, resulting in adaptations in attack methods. Although the attacks are becoming more malicious, the technology to prevent them remains the same.
Social engineering refers to ‘tricking’ users into granting access to sensitive information and data to unauthorized users. Typically, these attacks are non-technical and rely on human-to-human interaction. They prompt end users to break normal security procedures through a variety of methods. Phishing is one of the simplest, yet most effective and harmful methods.
I can bet that almost anyone who has used a computer has experienced a phishing attack at one point or another. Because users are becoming more knowledgeable and experienced, attackers are utilizing new methods that are becoming more malicious. Phishing can take the form of emails, websites, pop-ups, phone calls, and even text messages. Unfortunately, there is little technology available to prevent these attacks. The end user is the last layer of defense between the organization’s confidential information and malicious software.
User awareness trainings are becoming more impactful in preventing attacks. According to the 2014 Attack Vectors Report, only 2% of attacks are from social engineering. While this may seem low in the scope of the engagement, this vector has a nearly perfect rate of compromise. As end users are becoming more aware of what harmful emails or websites look like, attackers are forced to be even more targeted in their attacks. Hackers know that end users will act on emotion. They use fear, greed and curiosity to bait users into providing information (ie. credit card information, social security number, address, phone numbers, ect.). To make matters worse, they are becoming more personal. Common email phishing attacks pose as personal emails from fellow employees or have malicious attachments in emails. These emails are followed up with friendly phone calls from your ‘account representative’ who will ask you to open the email and download the attachment now. Some will go as far as to ‘double check your information’ right over the phone with you to ‘prevent further damage’.
Take the recently announced breach of J.P. Morgan Chase, the largest bank institution in the United States. In their annual Stakeholder’s Report, Matt Zames, CIO of J.P. Morgan stated earlier that they plan to spend roughly $250 million on cyber capabilities. “We’ve nearly doubled our investment in cyber security, including deployment of increased monitoring and protection technology, and we’ve expanded the number of dedicated cybersecurity professionals in the company to focus on protecting our customers and our staff,” said Zames.
However, I must point out that nowhere in his letter does he mention education or awareness. J.P. Morgan is a great example of how crucial it is to have the proper training and education in place to change user’s habits. Attackers are hitting companies right at their weakest points, the end users. Although more organizations are realizing the importance of educating everyone involved (from the CIO to the security guard), annual or bi-annual trainings are not enough. Regardless of the amount of ‘trainings’ you provide your organization, human error will always take place. It only takes one user to act to cause a waterfall reaction of trouble. In order to truly prevent phishing attacks, we have to change the habits of our users.