We’re all familiar with the saying that a chain is only as strong as its weakest link. It simply means that the most vulnerable or weakest link in a system (or in a program, or on a team) can bring down the entire structure, whether a computer network, an individual PC, or a corporate department.
In information security or cybersecurity, the weakest link concept is of vital importance. Because even the most robust security system can be breached by a hacker, scammer, or malware program determined to find and exploit the weakest link.
What is the Weakest Link?
Think for a moment about the legendary Trojan Horse. The massive wooden horse was left outside the city gate of Troy, by their Greek foes, as a gift to the people of Troy at the supposed conclusion of the Trojan War.
Flattered, the city fathers opened the gate and brought the wooden horse into the city. Greek soldiers hiding in the hollow horse sneaked out, reopened the gate that night, and let in more Greek soldiers to attack and conquer the Trojans.
What was the weakest link in this intrusion? Was it the horse? The gate? Not at all. It was the city fathers of Troy. Human beings who actually believed that the Greeks who had besieged their city had suddenly decided to abandon the war and offer a gift before departing.
Trending Threats Exploit People
In addition to the ancient Trojan Horse scheme, several threats today rely heavily on human vulnerability in order to breach systems, hijack data, and reap revenue in the bargain.
Perhaps one of the most notorious scams is ransomware, which is estimated to have cost the U.S. $7.5 billion in 2019. This marks five consecutive years of ransomware growth, with national and local governments and public institutions targeted with increasing frequency. During the course of 2020, ransomware attacks have increased seven-fold compared with 2019, according to newly released data.
In one version of the ransomware scam, an alleged Microsoft technician calls a computer user claiming that an issue is affecting the computer and the tech has been assigned to fix it. The end user is guided to share access to his system, whereupon the “tech” immediately begins encrypting all data on the computer, making it inaccessible to the user.
This scam works equally well with corporate employees, city employees, and consumers. To optimize their effectiveness, the most sophisticated ransomware boiler rooms employ both commercial and consumer specialists. In all cases of ransomware, computer data is held hostage until a ransom is paid to the scammer using bitcoin or similar crypto-currency.
High Cost of Ransomware Attacks
Countless companies and municipal governments have paid hundreds of thousands of dollars to recover their data and unfreeze their systems. Among them, in 2019 the City of Riviera Beach, Florida paid cybercriminals $600,000, while Jackson County, Georgia, paid a ransom of $400,000.
In a spectacular incident in 2017, criminal hackers infected more than 153 Linux servers hosted by South Korean web provider Nayana, taking 3,400 client websites offline. After negotiating the ransom price down from $4.4 million, Nayana paid $1.14 million. In some cases, where client data was irretrievably lost, the company is providing permanent free hosting—an expense over and above the ransom paid.
What was the weakest link in these ransomware attacks? You guessed it. The human link. Human vulnerability enabled a cybercriminal’s ransom scheme to be executed as planned.
Exploiting COVID-19 Fears
It’s no surprise that another central theme in 2020 cybercrime is COVID-19, or the coronavirus. Cybercriminals have seized every opportunity to create fraudulent advertising campaigns offering fake health products for sale online. Pop-up ads promoting preventative products appear on the web with increasing frequency and in rapidly evolving variations.
In addition, this year cybercriminals have conducted massive email spam campaigns promising new treatments or cures for COVID-19. Preying upon human vulnerabilities—in this case fears of contracting the virus—cybercriminals have become so active that today 40% of all COVID-related emails are spam.
This trend is expected to increase as media coverage of COVID continues to induce fear, alarm, and uncertainty among human populations all over the world.
Congratulations - You’ve Won!
Another trending cybercrime spoofs the Publishers Clearing House Sweepstakes. “Winners” are contacted by telephone and offered millions of dollars and a luxury car in exchange for a modest registration fee to claim their prizes.
This scam is so rampant that Publishers Clearing House has posted various known scenarios along with this warning on their website. “If you are ever contacted by someone claiming to represent PCH, or claiming to be one of our employees, and asked to send or wire money (for any reason whatsoever, including taxes); or asked to send a pre-paid gift card or Green Dot MoneyPak card in order to claim a sweepstakes prize – DON’T! It’s a SCAM. If you are sent a check, told it’s a partial prize award, and asked to cash it and send a portion back to claim the full prize award, DON’T. The check is fake, but the SCAM is real!”
What is the weakest link in these PCH scams? Of course, it is the human link. Human vulnerability is reliable, consistent, and perennial, and as such we are always susceptible to the promise of free gifts, prizes falling from the sky, the lucky pot of gold. Remember Smuggler’s Blues by Glenn Frey? “The lure of easy money has a very strong appeal.” It takes a knowledgeable, well-informed, alert individual to resist these clever temptations.
Humans Make Businesses Vulnerable
Clearly, consumers are vulnerable to ransomware as well as to cybercrimes like the spoofed Publishers Clearing House Sweepstakes.
But when it comes to businesses and governments, scammers and spoofers and hackers exploit that same human vulnerability. Their objective is to gain unauthorized access to computer login credentials. Intellectual property and trade secrets. Personnel and payroll records. Personal health information and healthcare records. And other valuable company assets.
All of these company assets can be exploited for profit by those who steal or compromise them. For the victimized organization, that exploitation often results in brand damage and public embarrassment, regulatory fines and penalties, wasted manhours and effort, intense regulatory scrutiny of security systems, and other costs.
Even a trick as simple as piggybacking on an employee’s building entrance code or concocting a cover story about losing one’s key card, can enable a cybercriminal to gain unauthorized access to a company’s offices or systems.
These Cybercrimes Have a Name
When a human link is exploited by a hacker or other bad actor, the act is known as Social Engineering.
Social engineering is a manipulative social technique used by hackers as an alternative to physically hacking into an information or data system. Instead, the cybercriminal attempts to contact and manipulate an individual who has direct access to the data or other asset they seek.
In social engineering, an individual employee is tricked into either revealing the source of the data or enabling the hacker to access it remotely through the employee’s computer.
The manipulation can be done by phone, by email, or even in person. And the hacker may pose as a fellow employee from another division, as an executive of the company, as a supplier partner, or as a third-party auditor in order to persuade the targeted employee to fulfill their request for data.
In addition to highlighting other prevailing trends, recent cybersecurity industry reports indicate a growing focus by cybercriminals on social engineering ploys, rather than on developing more sophisticated malware. During this year of COVID, cybercriminals are finding human targets especially vulnerable as more employees work at home or spend more time on their personal computers while furloughed.
Is There a Solution?
It’s the right question to ask. How can I protect my company from social engineering schemes that exploit the human vulnerabilities of my employees?
We certainly can’t change human nature. But we can definitely educate employees to recognize these schemes and be on high alert against them. This process begins with social engineering testing and includes employee training, retraining, and reminding so that the threat remains at top of mind. We suggest hiring an experienced cybersecurity firm, such as 24By7Security, to conduct your social engineering testing and training.
Start with Social Engineering Testing
The vital first step in protecting your organization is to test and evaluate your vulnerability to social engineering attacks. To be thorough, the testing uses different techniques to mimic various social engineering schemes. Following are several examples:
- Using in-person social engineering attempts to gain access to secure business areas in your building or offices.
- Conducting vishing, phishing, and smishing exercises, as well as in-person attempts, to obtain private or proprietary information.
- Performing targeted spear phishing attacks and whaling attacks.
- Conducting various onsite audits to assess whether employees are familiar with company security policies, and whether they are applied consistently. Examples might include policies that require clean desktops, prohibit password sharing, ban tailgating or piggybacking on a single key card, and so on.
Upon completion of social engineering testing, you will receive a detailed report of our findings along with actionable recommendations that can be implemented immediately. One of those recommendations will always include employee training, because training is the only means of addressing the human vulnerability factor.
Follow with Employee Training
Cybersecurity awareness training for employees is a critical element of any organization’s overall cybersecurity program. Employees need to understand the value of protecting business assets, including data.
They also need to appreciate how important good security is to relationships with your clients, partners, and the public, and what is at risk when security is breached.
Training should also teach employees:
- The various social engineering schemes in use by cybercriminals
- What action(s) they should take if they suspect something is wrong
- Why they should take that action(s)
Employees must be familiar with your organization’s information security policies, including escalation procedures and contingency plans. A good training program also offers a range of options based on the organization’s culture and budget.
Popular options include:
- Classroom training
- Online webinars
- Online self-paced training
- Train the trainer
- Email newsletters, regular email reminders, and quizzes
- Reading assignments, such as white papers and blogs
In addition to conducting engaging, impactful training, it is important to periodically quiz employees to reinforce their learning. Equally important is ongoing training, to ensure that the training remains effective and knowledge is retained by employees.
Ongoing training also helps ensure that new employees, part-time employees, and contractors are included in the program, as they are all part of the security chain in any organization.
Summary
Current trends in cybercrime include variations of ransomware, sweepstakes and prepaid card fraud, and scams related to COVID-19, according to the latest cybersecurity industry reports. These schemes rely heavily on social engineering techniques to exploit human vulnerabilities, ranging from fear and greed to vanity and naivete. Social engineering continues to thrive by finding what is most often the weakest link in the security chain—the human link.
To address this particular form of cybercrime, social engineering testing and social engineering training are required. Every employee needs to be aware of this manipulative exploitation, how it can be used to trick them into sharing what they shouldn’t, and the serious effects that a security breach can have on their organization. Social engineering education should be reinforced and refreshed through regular testing and ongoing training conducted by the organization or by a qualified third party.
Experience has proven that employees who are well-informed and well-trained are much less likely to become the victims of social engineering schemes, and therefore much less likely to expose their organizations’ data and other assets to ransomware, email fraud, and cybertheft.