Attacks/Breaches
6/18/2012
09:30 PM
Connect Directly
RSS
E-Mail
50%
50%

When Will End Users Stop Being Fooled By Online Scams?

Despite millions of dollars in security tools and hours of awareness training, many organizations still find themselves breached by phishing and old-school social engineering attacks. Is there a way to build a better, smarter user?

On a chaotic workday, a top executive scans hastily through dozens of emails that have arrived in the past 10 minutes. There is one from an IT staffer whose name he doesn't know -- he doesn’t know most of the people in IT -- and it states that he needs to do a password reset or he will lose access to his applications. Without thinking, he clicks on the link provided in the email -- and malware is introduced to the entire corporate network.

Every day, employees in enterprises large and small are faced with attacks similar to this one. Fake emails -- or website messages, phone calls, or texts -- that appear to be legitimate elude anti-spam software and Web content filters to arrive at the employee's desk. These fraudulent messages -- collectively known as social-engineering attacks -- are quickly becoming the entre of choice for cybercriminals, both for the most sophisticated attacks and for everyday spam.

"The social-engineering attacks out there have become more sophisticated than ever," says Dan Waddell, senior director of IT security at eGlobal Technology and a member of the board at (ISC)2, the world's largest association of security professionals. "Cold calls, social-engineering emails, Facebook attacks -- they're getting better all the time, and it's not unusual to see a major breach starting with a targeted spear-phishing attack."

Researchers confirm that phishing -- those fraudulent emails that deliver malware or lead users to the wrong websites -- is on the rise again. According to RSA's May 2012 Online Fraud Report (PDF), instances of phishing were up 86 percent in April, reaching their highest level since September 2011.

The driver behind this growth is simple: People are much easier to fool than computers. While software vulnerabilities or weaknesses in security systems are becoming more difficult for cybercriminals to find and exploit, a single gullible user can introduce a world of trouble into an organization with a single mouse click. Major breaches at RSA, Zappos.com, Sony, and many other organizations have been launched with a single successful targeting phishing attack.

"Social engineering has reached pandemic proportions, yet it’s one of the most ignored attack vectors in security strategies today," says Rohyt Belani, CEO of PhishMe, a service that enables companies to train and test their employees about phishing through simulated attacks. "Both cybercriminals and penetration testers are now saying the same thing: The human element is the weak point in any sort of cyberdefense."

"We have spent the past decade deploying a large number of security controls and investing in protecting servers and applications -- for right now, the user is the easiest target," says Mike Murray, managing partner at MAD Security, a security firm that focuses on modifying the behavior of end users to make client organizations more secure.

While software can be scanned for vulnerabilities, and cyberdefenses can be penetration tested, there are no technological ways to test and patch end users for security weaknesses, experts observe. For many enterprises, then, the question becomes: How can users become smarter and more savvy to potential social-engineering attacks? Is there a way to make a better user?

A growing number of security companies and consultancies are focusing on that very question. Chris Hadnagy, a professional social engineer who has spoken on the topic at the annual Black Hat USA conference, says that organizations need to move security awareness out of the classroom and into users' minds and desktops.

"Almost every company has a security awareness program, but we see more and more of them being compromised all the time, sometimes with the same exploits that have been used for years," says Hadnagy, who also helps run a social-engineering "capture the flag" contest at the Def Con conference every year.

"Why is security awareness training so ineffective? A lot of it is because the training programs themselves are ineffective," Hadnagy explains. "They're impersonal, boring videos or [computer-based training] given mandatorily in classrooms where people spend the whole time texting or IMing. The [employees] are not engaged. They’re not learning anything. And so they make the same mistakes over and over."

Tim Rohrbaugh, vice president of information security at identity theft protection company Intersections, agrees. "Despite a lot of talk about security and breaches, the typical user is as unaware and unconcerned as they’ve always been," he says. "There are user education programs, but the incentives aren't there to get users to really change their behavior. People are still not very good at filtering what’s real and what isn't."

While many security departments try to treat the human problem with technology -- through spam and content filters, as well as tools that simply prevent users from accessing data -- there is a growing wave of experts that are attacking the problem from a human perspective. The key, they say, is to change both the environment that employees work in -- their corporate culture -- and the way they learn about security.

"When we do social-engineering testing, one of the things we find is that employees behave better in companies that really care about security," Hadnagy says. "In a lot of cases, there is a direct correlation between the amount of money the organization spends on security and how their users fare in social-engineering tests. When the organization cares about security and is willing to invest in it, then their employees usually do, too."

Next Page: Instilling a healthy suspicion of the unknown. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/21/2012 | 2:20:20 AM
re: When Will End Users Stop Being Fooled By Online Scams?
It is rare that I come across an organization with much in the way of security awareness training.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5242
Published: 2014-10-21
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.

CVE-2012-5243
Published: 2014-10-21
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.

CVE-2012-5702
Published: 2014-10-21
Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to i...

CVE-2013-7406
Published: 2014-10-21
SQL injection vulnerability in the MRBS module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2531
Published: 2014-10-21
SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search action to the (1) NodeWorx , (2) SiteWorx, or (3) R...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.