CHAPTER 4: HUMAN THREATS

Some of the biggest threats to cyber security come not from technology, but from the people who use it. According to a 2019 report by Verizon, 34% of security incidents (out of 41,686 analysed) were attributable to internal actors.¹⁴

Most insider threats are not actively or deliberately malicious. In fact, most of the time, cyber incidents that are traced to insiders are simple mistakes that anyone could make, like being tricked by a cloned email. A 2018 report by Ponemon Institute that surveyed more than 3,000 insider incidents attributed only 23% of them to criminal and malicious insiders.¹⁵

Protecting against human threats requires training: employees need to know how to identify and respond to phishing emails and other commonly encountered threats. They also need to know how to go about their daily job in a secure manner, whether that be locking filing cabinets when not in use, or knowing which databases contain sensitive information and how to access them securely. Secure working doesn’t just protect the organisation from attacks, but also helps prevent accidental damage to information and information systems by promoting a conscientious approach to daily tasks.

Training is a good defence against attacks that take advantage of human nature, but it is equally important to develop a culture of security within the organisation, and an environment that supports it. Employees who are busy or stressed are less likely to remember and apply the training, and more likely to fall victim to common attacks.

Employees who fear punishment for falling victim to an attack will be less likely to report suspected attacks, which puts your whole organisation at risk. The culture of security you create, and the environment in which that culture operates, must be positive. The blame game doesn’t help anyone.

Social engineering

Social engineering attacks have existed since the early days of human civilisation. From the ancient Greeks’ use of the Trojan Horse to attack Troy, to Victor Lustig’s efforts in the 1920s to sell the Eiffel Tower for scrap (twice), con artists have plied their trade and caused misery to millions.

Social engineering is a type of attack in which a person is manipulated into doing something they shouldn’t, such as opening an infected email attachment or divulging sensitive information. Social engineering attacks are one of the most common cyber security concerns, with 83% of respondents to Proofpoint’s 2019 “State of the Phish” report experiencing phishing attacks in 2018.¹⁶

Social engineering attacks come in all shapes and sizes, from the ‘classic’ email attachment scam to complex ‘pretextual’ attacks in which the attacker manufactures a convincing scenario to achieve their goal.

Phishing

The most prevalent form of social engineering attack, phishing is the act of fraudulently obtaining information through electronic communications that appear to be from legitimate sources. Phishing comes in a variety of flavours depending on the target and the method of execution, but the most common vector is email.

Phishing emails have come a long way since the infamous ‘Nigerian Prince’ emails of the early 2000s. While some phishing emails still feature poor spelling and grammar and describe implausible scenarios that demand the urgent provision of your bank details, many are now far more subtle.

Most phishing emails are crafted to look just like an email from a legitimate sender – using the same fonts, logos and phrasing to convince you that the email is real, and using spoofed sender addresses to further enhance their legitimate appearance. The email will invariably ask you to open an attachment or click a link – perhaps to reset your password, or to update your payment information. Do so, and you become the victim.

Links in phishing emails will appear to be legitimate, but closer examination often highlights discrepancies like deliberate misspelling or use of dubious subdomains. The website you visit may have been created to steal your credentials, or the attachment you open may contain a malware payload that gives the attacker access to your network. The outcome is rarely immediately visible, as in most cases this would trigger a security response.

While a large percentage of phishing is untargeted ‘bulk’ attacks, more targeted methods are also used. Phishing that targets specific organisations or persons is called ‘spear phishing’, and often masquerades as emails from suppliers or other trusted third parties. A further variant is ‘whaling’, which targets senior executives with well-crafted emails designed to appeal to them specifically – perhaps masquerading as a contract dispute or escalated customer complaint. The flipside of whaling is business email compromise (BEC), in which the phishing email appears to come from a senior executive.

Other variants of phishing include phishing by phone or voice over Internet Protocol (‘vishing’) and by text message (‘smishing’). A determined attacker can compromise any communication medium to deliver phishing attacks with enough effort.

The payload delivered depends on the type of attack. Untargeted phishing emails generally deliver malware (e.g. a worm or a Trojan), while whaling and BEC attacks often attempt to steal login credentials or extort payment.

Social media

Social media may be a great tool for communicating and sharing information, but like any online activity, it comes with its own set of risks. We happily share our photos, locations and sensitive information with little thought to our own security or privacy. We also rarely consider the risks our social media activity might pose to others – whether friends, family or the organisations we work for.

When sharing information on social media, it is important to consider how that information might be used. Password reset functions, for example, often have a security question as an additional layer of security: your mother’s maiden name, your first pet, or a school you attended. You may think your answer is something that few people would know, but if you’ve posted family details or photos of pets on social media, or signed up to a school reunion page, then that information might be freely available to criminal hackers.

Information shared on social media is of immense value, but passive information collection isn’t the only risk. ‘Catfishing’ – the use of a fake profile to elicit sensitive information from a person – is common on social media platforms, including dating apps and websites. The fake profile will begin an apparently innocuous conversation to gain the recipient’s trust, then over time, will manipulate the recipient into providing more information.

Catfishing is frequently used to perform reconnaissance on an organisation, eliciting information from the organisation’s employees in preparation for an attack. It is also used to steal credentials, or even whole identities.

Social media apps can also be a source of risk, even when developed by large organisations like Facebook. In 2018, security researchers identified a vulnerability in Facebook’s Messenger app that allowed criminal hackers to expose a user’s contact list and messages.¹⁷

To defend against social media attacks, develop a policy on the use of social media on work computers. It should prohibit employees from posting sensitive information about your organisation on social media and might also ban installing social media apps on mobiles and other portable devices. Train employees to understand the risks posed by social media to help them stay safe at home as well as at work.

Staying safe online

Using the Internet has been an everyday experience for so long that most of us give it little thought. We visit our favourite websites and go about our business online without much consideration for the risks, yet the simple act of browsing to a website can expose us to malware or other threats. While it is impossible to remove the risks entirely, safe browsing principles go a long way towards mitigating them.

Keep tools up to date, and use them

Your organisation’s policies should ensure that browser and security tools (like antivirus or anti-malware software) are up to date and switched on. This ensures your systems always have the latest available security fixes. Policies should also take advantage of browser-based protection (e.g. warnings when a potentially unsafe website is visited) where available.

Browser-based protection should not be confused with the ‘Do Not Track’ (DNT) functionality common to most major browsers, which sends a message to the website or application asking it not to track the session. Supporting DNT requests is entirely voluntary on the part of the website or app operator, so very few websites honour them, making DNT essentially useless.

The W3C Tracking Protection Working Group, who were responsible for development of the DNT specification, closed in early 2019 citing lack of adoption. Apple removed the functionality from its browsers shortly afterwards over concerns that it could contribute to browser ‘fingerprinting’.¹⁸ While DNT is only one datapoint among many that could be used to identify a given browser, this is perhaps the only browser security tool that should be switched off.

Check for secure connections and legitimate website addresses

Train users to check URLs carefully before entering login credentials or other sensitive information and never input any sensitive information into an unsecured website. Users should check to see if the website uses HTTPS and has a valid SSL certificate (by looking for the padlock icon next to the address bar) before entering any login details – the certificate should have the same name as the company whose website they are trying to access.

It is important that users understand that the padlock icon alone doesn’t mean the site is safe – it only means that the information between the browser and the website is encrypted and cannot be read if intercepted. Attackers can spoof the entire address bar, including the padlock (especially on mobile devices where screen space is a limited commodity), or register a legitimate SSL certificate for a domain name containing international characters that superficially resembles a legitimate site.

Some browsers will display a warning when clicking a link that contains international characters, and if you ignore the warning and navigate to the site itself, will display the international character in a web-friendly variant of the Unicode format (so the ‘?’ in the spoofed link above displays as XN—rog). This at least shows the user that the address uses international characters (assuming of course that the address bar hasn’t been spoofed as well), but finding this out while using the site is hardly ideal.

Handle with care

Train users to be careful what they click. Before clicking any link, whether on a website or in an email, users can mouseover it to see the destination URL. If it doesn’t match the visible link, or the destination URL looks suspicious, users should understand not to click it.

Remote working

The freedom to work from home, on the train, or in another country entirely is a huge boon to employees and employers, but it brings with it a host of risks. Controlling those risks is necessarily harder because remote employees operate outside your organisation’s logical perimeter (the boundary within which your networks and information reside). Extending those boundaries without effective controls makes your security more permeable than it would otherwise be.

Of all the risks associated with remote working, loss or theft is probably the most common. Mobile devices such as phones or laptops are easily lost or forgotten while travelling, and theft has long been a risk for portable equipment of any kind. Your remote working policy should contain requirements for the handling of mobile devices while off-premises: don’t leave devices unattended, especially in public places; don’t store devices in vehicles, especially overnight; don’t leave devices unlocked, etc.

Remote working invariably requires the worker to connect to the Internet. Free Wi-Fi is available in a wide range of places, from trains to cafés, but using it can be risky. Criminal hackers can create false wireless access points to harvest credentials and other sensitive network traffic, while poorly secured networks can expose you to malware or man-in-the-middle (MITM) attacks.

The safest option is to prohibit such devices from connecting to public Wi-Fi at all, but this isn’t always possible. If use of a public Wi-Fi network can’t be avoided, the next best option is to connect to a virtual private network (VPN). A VPN allows you to connect securely to another network via the Internet, preventing anyone monitoring Wi-Fi traffic from intercepting the data you send or receive.

USB charging is another source of risk. Most USB sockets allow data transfer as well as power transfer, and cyber security professionals have already demonstrated that it is possible to deliver malware and even record the screens of devices connected to chargers.¹⁹ Mobile device and remote working policies should prohibit the use of public Wi-Fi in all but exceptional circumstances, and use USB data blockers – a USB socket with the data transfer pins removed – where public Wi-Fi is unavoidable. You might also consider disabling USB ports on laptops and other portable devices.

One vulnerability associated with remote working is one that many of us wouldn’t give much thought to – eavesdropping. Most of us assume a certain degree of privacy, even in public spaces, and we discuss sensitive topics openly in bars, restaurants, etc. assuming no one is listening.

Sometimes, though, someone is listening. An executive who commutes via train and regularly takes business calls during the journey is a prime target for reconnaissance by hostile actors. An attacker could take the same train and sit close enough to be able to hear the executive’s conversations. Given enough time, the attacker might glean useful information about the executive’s organisation – information that can then be used to carry out a more technical attack. While such disclosures are naturally difficult to control, ensure that your cyber security training includes advice not to discuss confidential matters in public places.

‘Shoulder-surfing’, where someone reads your screen over your shoulder, is another common problem when working remotely in public places. While the easiest way of mitigating this risk is simply to sit somewhere that prevents someone from viewing your screen from another angle, this isn’t always an option. To add another layer of protection, provide users with privacy screens for laptops and similar devices. These reduce the effective viewing angle of the screen, making it impossible for the screen to be viewed from the side.

Example: WannaCry

In 2017, a major ransomware attack struck systems across the globe. The program, known as ‘WannaCry’, infected a huge number of systems across organisations including Nissan and FedEx. In the UK, the NHS was hit hard, with more than 70,000 computers and items of medical equipment affected in 80 NHS organisations. The attack saw more than 19,000 operations cancelled and cost the NHS an estimated £92 million – all because someone clicked a malicious link or opened a malicious file.

The WannaCry ransomware spread by exploiting a vulnerability in the Windows Server Message Block (SMB) protocol that allowed code to be executed on the target system. The US National Security Agency (NSA) is believed to have identified the vulnerability as far back as 2012, but instead of notifying Microsoft, it instead developed a tool to exploit the vulnerability, codenamed ‘EternalBlue’.²⁰

At some point – it is not clear when – the NSA realised that there was a possibility that EternalBlue had been stolen. Believing the usefulness of the tool to be diminishing and concerned for the potential impact if the exploit were to be used at scale, NSA informed Microsoft of the vulnerability. Microsoft responded quickly, releasing a critical security patch for all supported operating systems in March 2017.

In April of that year, the criminal hacker group known as the ‘Shadow Brokers’ released the code for EternalBlue. Two months later, WannaCry hit the headlines.

WannaCry spread as far and as fast as it did due to a combination of unclear incident response procedures and the failure to apply security patches promptly. While individual NHS organisations began informing NHS Digital, the police and others that something was wrong on the morning of the first attacks, there was no coordinated response until that evening.²¹

Microsoft’s March 2017 security patch applied to all supported operating systems including Windows 7 – yet Windows 7 accounted for around 98% of WannaCry infections worldwide.²² None of the 80 affected NHS organisations had installed the patch, despite advice to do so issued by NHS Digital in April 2017.²³

The WannaCry attack illustrates both the importance of effective patch management, and how quickly an attack can spread without a tested and effective incident response plan. If the patch had been applied and the response better coordinated, the attack might have been prevented entirely, or at least had less of an impact.

¹⁴ Verizon, “2019 Data Breach Investigations Report”, August 2019, https://enterprise.verizon.com/en-gb/resources/reports/dbir/.

¹⁵ Ponemon Institute and ObserveIT, “2018 Cost of Insider Threats: Global Organizations”, April 2018, https://www.ponemon.org/blog/tag/cost%20of%20insider%20threats.

¹⁶ Proofpoint, “State of the Phish 2019 Report”, January 2019, https://www.proofpoint.com/us/corporate-blog/post/2019-state-phish-report-attack-rates-rise-account-compromise-soars.

¹⁷ Shannon Liao, “Facebook Messenger had a vulnerability that could let hackers see who you contact”, The Verge, March 2019, https://www.theverge.com/2019/3/7/18254788/facebook-messenger-vulnerability-attack-imperva-iframe-malicious.

¹⁸ Glenn Fleishman, “How the tragic death of Do Not Track ruined the web for everyone”, Fast Company, March 2019, https://www.fastcompany.com/90308068/how-the-tragic-death-of-do-not-track-ruined-the-web-for-everyone.

¹⁹ Catalin Cimpanu, “Officials warn about the dangers of using public USB charging stations”, ZDNet, November 2019, https://www.zdnet.com/article/officials-warn-about-the-dangers-of-using-public-usb-charging-stations/.

²⁰ Ellen Nakashima and Craig Timberg, “NSA officials worried about the day its potent hacking tool would get loose. Then it did.”, Washington Post, May 2017, https://www.washingtonpost.com/business/technology/nsa-officials-worried-about-the-day-its-potent-hacking-tool-would-get-loose-then-it-did/2017/05/16/50670b16-3978-11e7-a058-ddbb23c75d82_story.html.

²¹ National Audit Office, “Investigation: WannaCry cyber attack and the NHS”, April 2018, https://www.nao.org.uk/wp-content/uploads/2017/10/Investigation-WannaCry-cyber-attack-and-the-NHS.pdf.

²² Russell Brandom, “Almost all WannaCry victims were running Windows 7”, The Verge, May 2017, https://www.theverge.com/2017/5/19/15665488/wannacry-windows-7-version-xp-patched-victim-statistics.

²³ William Smart, “Lessons learned review of the WannaCry Ransomware Cyber Attack”, Department of Health and Social Care, February 2018, https://www.england.nhs.uk/wp-content/uploads/2018/02/lessons-learned-review-wannacry-ransomware-cyber-attack-cio-review.pdf.