Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

9/18/2019
04:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

How Cybercriminals Exploit Simple Human Mistakes

A new report explores how attackers identify psychological vulnerabilities to effectively manipulate targets.

"People make mistakes" is a common and relatable phrase, but it's also a malicious one in the hands of cybercriminals, more of whom are exploiting simple human errors to launch successful attacks.

The Information Security Forum (ISF) explored the topic in "Human-Centered Security: Addressing Psychological Vulnerabilities," a new report published today. Human vulnerabilities, whether triggered by work pressure or an attacker, can expose a company to cybercrime. As more organizations fear "accidental insiders," addressing these vulnerabilities becomes critical.

In its report, ISF cites a stat from FireEye, which last year reported 10% of attacks contained malware such as viruses, ransomware, and spyware. Ninety percent of incidents were more targeted — for example, impersonation scams, spear-phishing attacks, and CEO fraud.

"What was clear for me is that if we are going to really try to address some of the more emerging threats that are targeting individuals, then we need to understand some of the ways in which users behave and why they behave," says ISF managing director Steve Durbin. He points to a "total shift" in the way employees can be managed to optimize security. After all, he says, most don't turn up for work each day with the intent to cause harm to the the company.

The brain has to process a lot of information before it arrives at a decision; however, humans are limited in the amount of time they have to make a choice with the data they have. This is why the mind seeks cognitive shortcuts, or "heuristics," to alleviate the burden of decision-making. Heuristics help people more efficiently solve problems and learn new things, but they may lead to cognitive biases that contribute to poor judgment or mistakes in decision-making.

So long as companies don't understand the implications of cognitive biases, researchers say, they will continue to pose a significant security risk. ISF's report lists 12 biases, all of which can have different effects on security. One example is "bounded rationality," or the tendency for someone to make a "good enough" decision based on the amount of time they have to make it.

Bounded rationality can prove dangerous during a cyberattack, when tensions run high and an analyst may make a "good enough" decision based on the data and tools at their disposal.

Another bias commonly seen in the workplace is "decision fatigue," or a decrease in mental resources after a series of repetitive choices. At the end of a long day, employees tend to lean toward easier decisions, which may not be the best decisions. "The attacker knows by conducting the attack in late afternoon, it'll provoke poor decision-making," Durbin explains.

Creating the Attacker's Advantage
Each of these vulnerabilities gives attackers an opportunity to strike. While many of their tactics remain the same, they have also grown in sophistication and cost-effectiveness. Criminals can use "social power" to exert influence over others and manipulate them into making mistakes.

There are six different types of social power: reward power, which promises a reward if the task is complete; coercive power, which uses punishment to influence behavior; referent power, which uses the "cult of personality" to manipulate followers of celebrities; informational power, which uses specific information to convince a target the attacker is legit; and expert power, which attackers use to impersonate someone with expertise — someone who should be trusted.

Psychologically savvy attackers can leverage these tactics in several different types of attacks. Spear-phishing is most common and increasingly popular, says Durbin, but other techniques are becoming popular, too. Whaling, for example, is a type of phishing email designed to hit a single, high-value target, usually a senior executive or someone with privileges access. Criminals use a long-term approach, employing different forms of social power over a period of time to build credibility.

Baiting, another tactic, is similar to phishing but promises a reward to entice the target: Free music or movie downloads may be traded for credentials to a certain website. Smishing, or social engineering done via text messages, is likely to become much more popular as people are less aware of cyberattacks arriving via SMS. Vishing, or social engineering via phone, lets attackers use their voice to build a rapport. Some criminals are using AI to become more convincing.

"The phone has tended to be something that has remained out of the more commercial phishing and attack scenarios that we've seen," Durbin says. "We're starting to see it emerging now." And while the voice impersonation tactic requires access to the right technology, he anticipates this is an area that will grow. With the right tech, the attack isn't difficult.

What's important to remember about human-focused cybercrime is this isn't about employees being less intelligent or more negligent, he continues. "This is human nature. If you catch us on the wrong day or catch us in a certain way, we will behave accordingly," Durbin adds. "You don't actually know how the individual is feeling on a particular day."

What You Can Do
Researchers recommend reviewing your organization's security culture, starting from the most senior roles. This can inform a better understanding of how different departments value security and pinpoint which areas have more human vulnerabilities. From there, security leaders can identify threats, tailor responses, and help employees handle stressful situations.

Security admins should also aim to understand how employees use technology, controls, and data. Consider how these interactions may vary across locations and cultural settings, and brainstorm how controls and technologies can be designed around the person using them.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Poll Results: Maybe Not Burned Out, But Definitely 'Well Done'."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "The security team seem to be taking SiegeWare seriously" 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1114
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php.
CVE-2012-1115
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the export, add_value_form, and dn parameters to cmd.php.
CVE-2012-1592
PUBLISHED: 2019-12-05
A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.
CVE-2019-16770
PUBLISHED: 2019-12-05
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
CVE-2019-19609
PUBLISHED: 2019-12-05
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.