The art of the con

Social engineering describes the process by which threat actors trick employees into giving up sensitive data, say a password. How is it people fall for such tricks & how can we prevent them?

This is extremely prevalent today with Covid-19 still being a very big issue. We’ve seen massive scams that have taken place online with people selling the Covid-19 vaccine.

Most of this is on the dark web, some of it is just phishing attempt emails, but think about this for a moment, there are people in the most vulnerable of positions.

Most people who are young and healthy probably won’t fall for this trick, but there are people out there that are very scared of it.

That piece of vulnerability is what threat actors always take advantage of, and that’s the problem.

Threat actors are always going to be out there, so creating technologies to stop them is necessary. We have incredible technologies that law enforcement and private industry use to stop these kinds of social engineering attacks against people.

But you can’t stop someone from having a conversation, from picking up a phone call and saying, ‘do you want some of this Coronavirus vaccine?’ As soon as you’re in a position of need, somebody else is in control, and so we need to show people how to fortify themselves mentally so they’re not in a place of vulnerability.

This is also where HR departments need to step up. 

What are some of the top threats that organisations face through their employees?

Unfortunately, I have to bring Covid-19 up again, because it was the largest exodus from corporate sites in human history, and also the largest shift in wealth in human history - it has been completely unprecedented.

To use an analogy, throughout the last 25 years of the internet’s history and cybersecurity, we’ve built this amazing castle with walls. We dug a moat, filled it with water and alligators, and we put a drawbridge in - the drawbridge being your firewall.

We said, ‘nothing else is coming in and out of this castle unless it goes over this drawbridge’, which is your firewall, intrusion, and data leak prevention, and we created little doors and windows.

Then cloud computing came along, above the castle walls, and started dropping information and sucking information out. Well, this was data leakage, and industries weren’t ready for it.

Then Coronavirus came into the castle walls, so we sent all the villagers back out to the village and we said, ‘go do your work from the village’.

Now the threat actors can see the whole village and all the people in the village and there’s no castle wall protecting them.

This is a problem that was created in less than six months, for the first time in human history – it’s pretty wild.

So because of this, you have to wrap a blanket of security through technology and education around your employees. We’re already starting to see the future, which is all about blockchain and artificial intelligence.

That is the future but today, what we can do is make sure that every employee is identified within our system, and that the remote access control is unique to each and every person. You need massive granularity on a system so you can see where users go, what they’re doing, and what things they’re trying to touch and not trying to touch.

Behavioural analytics can help and I’ll give you an example. We caught a guy fairly recently who’s working at an aviation company and was embedding turbine engine proprietary technology, so the data, into watchable YouTube videos.

He was working for this company, stealing information and embedding it into YouTube videos, which is called steganography. Now, these YouTube videos were ‘how to’ videos on other products that this company manufactures, like big gas turbines. They were legitimate how-to videos.

What the behavioural analytics engine does is create a trend and a baseline for a person’s behaviour. So, let’s say he produces eight YouTube videos a week, the system then creates a baseline and knows that this particular individual creates roughly eight videos a week.

All of a sudden, he’s producing 20 because thieves are greedy, and this tripped him up. Because of the increase, the behavioural analytics engine goes, ‘hey, this looks weird, we need to put some human eyes on this thing.’

And from this, human forensics found out that he was actually stealing this information. 

Tell me a few small changes businesses can implement today to protect themselves

It’s all about training, this is what we need.

The way we teach adults in a workplace environment is absolutely incorrect. 

I’ll give you my own personal experience. In the US, every director and above in various different companies, certainly the one I’m in, has to take mandatory GDPR training. So, how do I approach something that’s been forced down my throat and mandated to me? I don’t even look at the screen, I just click, click, click through it.

And this is a true story, I got 100% compliance with my GDPR training, but if you ask me anything about GDPR, I know nothing.

We’re trying to educate our employees so that they can become more robust, stronger, and fortified, and yet, let’s be honest, most people will approach training as I do.

This is compliance. You’re not changing me, making me stronger, or giving the company the advantage of knowing GDPR, we are no better off, and yet we’ve spent time and money doing this, so what’s the solution?

The solution is called chunking. We’ve actually known this since 1956 in the most cited paper in psychological literature since the 1950s. Dr Miller, the Harvard and Princeton professor created something called Miller’s law.

Miller’s law is the idea that the average human being can remember five to nine things for 20 minutes and then forgets them.

We have to chunk training on a daily basis. So essential training like cybersecurity training, you must give people a flash of it every single day. So, a ‘byte’ of training in cybersecurity every single day because repetition changes neuroplasticity and then you get behavioural change.

What are your cybersecurity predictions for 2021?

When a private organisation can censor a sitting president and many other people, big fake or deep fake start to have an inroad, because if you cut off the voice of a person that 17 million people are following, they’re going to try and find that person elsewhere and so deep fakes can then pop up, and this is exactly what happened.

There were tons of fake accounts saying, ‘we’re going to nuke things, we’re going to do this, we’re going to do that’, and people don’t know if it’s him saying it.

Additionally, because of tech censorship, there were literally millions of people who cancelled their accounts on Twitter and Facebook and such sites. So where are the scammers going to go?

The majority of scams today reside in big tech, in these huge social programmes like Facebook, so we’re starting to see such scams move to text, so WhatsApp, Telegram, Signal. I’ve been on Signal and Telegram for many years and I never saw it before on those two programmes but they’re moving in that direction and I don’t think people are ready for it.

The threat actors will go wherever the people go, and if the people are exiting some social media, they’ll go with them. 

In addition to that, the remote working business model is going to stick around. We are talking about hundreds of thousands of employees from many different companies around the globe no longer commuting into the office.

That is fantastic news for our environment, but what’s going to happen with security? How are these people going to be protected from threat actors who can now hack your television to go lateral on your Wi-Fi and then break into your computer to steal personally identifiable information? Or for industrial espionage, stealing secrets from your organisation or encrypting your laptop and engage in cybercrime like ransomware?

We have to be able to protect against those things.

Eddie Doyle is cyber security strategist at Check Point Software Technologies. Other cybersecurity speakers are available to book via The Motivational Speakers Agency.