As the strength of firewalls and antivirus software grows, experts say a careless click of the mouse can still jeopardize an organization’s cyber network.
A growing trend in cybersecurity is focusing on the “human factor”–the millions of end users that serve as individual vulnerabilities for federal and private sector computer systems. Hackers target specific users through customized phishing attacks that result in access to the organization’s network. The method is referred to as “social engineering.”
“We know well over 90 percent of the very damaging attacks come through that vector,” said Alan Paller, the director of research at the SANS Institute, a Bethesda-based information security research and training organization, in a March 28 interview.
“For the past 18 months, there’s been a radical shift” in the attention social engineering is receiving, said Lance Spitzner, director of the SANS’ Securing the Human Program, on April 2.
The issue has cropped up in congressional hearings, the National Institute of Standards and Technology’s workshop on developing a cybersecurity framework and even a recent presentation by former hacker turned security consultant Kevin Mitnick.
“The bad guys are going after the human element because we’ve spent the last 20 years using technology to secure technology and not securing people,” Spitzner said.
Paller said there are three solutions for countering attacks aimed at end users. The first is critical security controls that go beyond just perimeter defenses. These include “whitelisting,” which only permits authorized software on a system, rapidly patching operating systems and weak programs and reducing the number of people with administrative privileges, according to a Center for Strategic and International Studies report.
Another control lacking in various federal agencies is a Sender Policy Framework (SPF), which prevents email spoofing by only authorizing certain computers to send messages from an organization’s domain.
Eric Fiterman, a former FBI agent who now owns cybersecurity firm Spotkick, said he is able to run software that shows nsa.gov, cia.gov and fbi.gov do not have SPFs. From his office in Baltimore, Fiterman easily sends a fake email with the domain cia.gov.
“If they can get someone to open an email, that’s all it takes,” he said on March 28. “That’s just the easiest way in.”
The most spoofed federal agency, the Internal Revenue Service, does have an SPF, according to Fiterman.
The second method for countering social engineering, Paller said, is through inoculation. This technique sees information security officers sending fake emails to their employees to see who will spot the scam.
Mike Papay, vice president and chief information security officer at Northrop Grumman [NOC], runs such tests. He recently sent a fake email about 2012 tax returns to his 68,000 employees.
“I was surprised–It was a huge number of people that actually took the correct action,” he said on April 16. Employees are advised to report the suspicious email to his office.
Papay said the government does not mandate any specific training or tests in regard to social engineering, but that the defense industry has been ahead of other sectors.
“This is not an area where we’re necessarily competing against each other,” he said at NIST’s cybersecurity framework workshop last month. He said Northrop Grumman and other contractors will share information about hacking attempts since attackers are most likely targeting several companies.
The third method for reducing social engineering attacks is through employee training, Paller said.
Rohyt Belani, whose company PhishMe specializes in such training, said the key is short sessions that are regularly repeated.
“Most organizations try to train people on too many things,” he said on April 5. Instead, his company offers “very focused” two- to four-minute sessions that could be short videos, flashcards or a jeopardy-style game, depending on the organization’s needs.
Belani said he has several defense contractors as clients because attackers know the companies handle large quantities of sensitive information.
“They tend to be much more targeted than some of the agencies themselves,” he said.
With millions, if not billions, of end users with access to proprietary information, the problem can seem insurmountable. The shift in attitude toward the human element of cybersecurity will integrate ongoing efforts to improve network infrastructure and secure code development.
“People are nothing more than another operating system (OS),” SANS’ Spitzner said. “We’ve never done anything to secure the human OS.”