This question can sound silly because every cybersecurity flaw is the result of human behavior. Indeed, every security flaw is the result of human work – the work of developers or system engineers.
However, hackers plan and execute attacks on several layers: infrastructure, application, and human. As cybersecurity technical solutions are becoming more and more efficient, the human relationships are a key for penetrating into increasingly secure systems.
Attack surfaces from a hacker’s view
Attacking the IT infrastructure of a company can provide access to many valuable data. A massive attack can even shutdown a network, which results in very heavy loss for the target. Having to face these risks, cybersecurity experts have first invested most of their efforts in securing servers and network architectures.
This has resulted in hackers looking for more vulnerable entry doors, such as web applications.
Web applications are usually less secure because developers are usually less trained on security issues compared with sys admins. Moreover, web technologies evolve at fast pace, and companies’ massive and urgent needs do not always allow time for security controls within development processes.
But there is now a growing awareness about the cybersecurity risks on web applications. This is why application pentesting and web application firewalls are increasingly becoming popular.
In this context, there is one major risk that remains underestimated by cybersecurity specialists: the companies’ staff.
Hackers can also perform attacks that do not require any technical skills but a good sense of human psychology. This is called « social engineering ». With well-written phishing emails, phone calls under a fake identity, or a good scenario that opens access to the targeted company’s buildings, one can access key information that will make cyberattacks much more efficient.
Infrastructure, application, human: these 3 attack surfaces can of course be mixed in order to maximize a cyberattack’s chances of success.
The potential impact of phishing emails
Being tricked by a phishing email, can this really happen? Everybody has already received emails with a terrible spelling asking to send money to a foreign country… Or other queries that we immediately identify as SPAM…
But there are much more innocent-looking and dangerous phishing emails. Some might look as if they really come from the IT department, some might invite us to carefully read some important terms & conditions, some might be strongly personalized for each recipient.
If only one recipient fails victim, the access to the company’s network or to some other confidential information can be compromised. Phishing emails often allow hackers to steal logins and passwords or to spread malware such as Trojans.
In 2014, phishing attacks have lead to 1 billion dollars stolen from banks all across the world by the « Carbanak » criminal network. Concerning mobile security, experts have found that around 16 million smartphones have been compromised following the download of malicious applications and the reception of phishing emails and phishing SMS.
But how to avoid these tricks?
From risk assessment to staff awareness programs
Of course, training your staff is essential. Attacks on the human layer can only be neutralized with human education and awareness improvement.
But improving people’s awareness of cybersecurity threats can be challenging when the risks are largely underestimated. Many people will find hard to believe that they could be tricked by phishing emails or malicious phone calls.
The first step is to catch people’s attention on these issues. The most efficient way is to first conduct a social engineering audit which will evaluate the risks and the needs for training.
A social engineering audit includes social engineering attacks, with the same methods used by malicious hackers. It will allow you to test your teams’ spontaneous behavior towards phishing emails, malicious phone calls and physical intrusion into your buildings.
To be realistic, these attacks should be conducted by specialists. They will build tailor made scenarios that fit your company’s business and technical specificities. Scenarios can include several levels of difficulty, according to the targets and their exposure to risks. The execution of the attacks requires a high level of professionalism and also precise reporting. Reporting and conclusions will then be presented in an audit report.
The results of a social engineering audit will make it possible to precisely determine what kind of training is necessary and for which groups within the staff. They will also provide evidence based on facts which will be very useful for the trainer in his awareness raising efforts. From a pedagogical standpoint, this is extremely efficient!