Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

9/18/2019
04:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

How Cybercriminals Exploit Simple Human Mistakes

A new report explores how attackers identify psychological vulnerabilities to effectively manipulate targets.

"People make mistakes" is a common and relatable phrase, but it's also a malicious one in the hands of cybercriminals, more of whom are exploiting simple human errors to launch successful attacks.

The Information Security Forum (ISF) explored the topic in "Human-Centered Security: Addressing Psychological Vulnerabilities," a new report published today. Human vulnerabilities, whether triggered by work pressure or an attacker, can expose a company to cybercrime. As more organizations fear "accidental insiders," addressing these vulnerabilities becomes critical.

In its report, ISF cites a stat from FireEye, which last year reported 10% of attacks contained malware such as viruses, ransomware, and spyware. Ninety percent of incidents were more targeted — for example, impersonation scams, spear-phishing attacks, and CEO fraud.

"What was clear for me is that if we are going to really try to address some of the more emerging threats that are targeting individuals, then we need to understand some of the ways in which users behave and why they behave," says ISF managing director Steve Durbin. He points to a "total shift" in the way employees can be managed to optimize security. After all, he says, most don't turn up for work each day with the intent to cause harm to the the company.

The brain has to process a lot of information before it arrives at a decision; however, humans are limited in the amount of time they have to make a choice with the data they have. This is why the mind seeks cognitive shortcuts, or "heuristics," to alleviate the burden of decision-making. Heuristics help people more efficiently solve problems and learn new things, but they may lead to cognitive biases that contribute to poor judgment or mistakes in decision-making.

So long as companies don't understand the implications of cognitive biases, researchers say, they will continue to pose a significant security risk. ISF's report lists 12 biases, all of which can have different effects on security. One example is "bounded rationality," or the tendency for someone to make a "good enough" decision based on the amount of time they have to make it.

Bounded rationality can prove dangerous during a cyberattack, when tensions run high and an analyst may make a "good enough" decision based on the data and tools at their disposal.

Another bias commonly seen in the workplace is "decision fatigue," or a decrease in mental resources after a series of repetitive choices. At the end of a long day, employees tend to lean toward easier decisions, which may not be the best decisions. "The attacker knows by conducting the attack in late afternoon, it'll provoke poor decision-making," Durbin explains.

Creating the Attacker's Advantage
Each of these vulnerabilities gives attackers an opportunity to strike. While many of their tactics remain the same, they have also grown in sophistication and cost-effectiveness. Criminals can use "social power" to exert influence over others and manipulate them into making mistakes.

There are six different types of social power: reward power, which promises a reward if the task is complete; coercive power, which uses punishment to influence behavior; referent power, which uses the "cult of personality" to manipulate followers of celebrities; informational power, which uses specific information to convince a target the attacker is legit; and expert power, which attackers use to impersonate someone with expertise — someone who should be trusted.

Psychologically savvy attackers can leverage these tactics in several different types of attacks. Spear-phishing is most common and increasingly popular, says Durbin, but other techniques are becoming popular, too. Whaling, for example, is a type of phishing email designed to hit a single, high-value target, usually a senior executive or someone with privileges access. Criminals use a long-term approach, employing different forms of social power over a period of time to build credibility.

Baiting, another tactic, is similar to phishing but promises a reward to entice the target: Free music or movie downloads may be traded for credentials to a certain website. Smishing, or social engineering done via text messages, is likely to become much more popular as people are less aware of cyberattacks arriving via SMS. Vishing, or social engineering via phone, lets attackers use their voice to build a rapport. Some criminals are using AI to become more convincing.

"The phone has tended to be something that has remained out of the more commercial phishing and attack scenarios that we've seen," Durbin says. "We're starting to see it emerging now." And while the voice impersonation tactic requires access to the right technology, he anticipates this is an area that will grow. With the right tech, the attack isn't difficult.

What's important to remember about human-focused cybercrime is this isn't about employees being less intelligent or more negligent, he continues. "This is human nature. If you catch us on the wrong day or catch us in a certain way, we will behave accordingly," Durbin adds. "You don't actually know how the individual is feeling on a particular day."

What You Can Do
Researchers recommend reviewing your organization's security culture, starting from the most senior roles. This can inform a better understanding of how different departments value security and pinpoint which areas have more human vulnerabilities. From there, security leaders can identify threats, tailor responses, and help employees handle stressful situations.

Security admins should also aim to understand how employees use technology, controls, and data. Consider how these interactions may vary across locations and cultural settings, and brainstorm how controls and technologies can be designed around the person using them.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Poll Results: Maybe Not Burned Out, But Definitely 'Well Done'."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26252
PUBLISHED: 2021-01-20
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server ...
CVE-2020-26278
PUBLISHED: 2021-01-20
Weave Net is open source software which creates a virtual network that connects Docker containers across multiple hosts and enables their automatic discovery. Weave Net before version 2.8.0 has a vulnerability in which can allow an attacker to take over any host in the cluster. Weave Net is suppli...
CVE-2021-1235
PUBLISHED: 2021-01-20
A vulnerability in the CLI of Cisco SD-WAN vManage Software could allow an authenticated, local attacker to read sensitive database files on an affected system. The vulnerability is due to insufficient user authorization. An attacker could exploit this vulnerability by accessing the vshell of an af...
CVE-2021-1241
PUBLISHED: 2021-01-20
Multiple vulnerabilities in Cisco SD-WAN products could allow an unauthenticated, remote attacker to execute denial of service (DoS) attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
CVE-2021-1247
PUBLISHED: 2021-01-20
Multiple vulnerabilities in certain REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.