Earlier this week I took time out to attend IPExpo in London, a multi-faceted event that casts a net, no pun intended, over the various verticals that make up todays IT infrastructure. Cyber Security, took up a good proportion of the floor space and offered a plethora of interesting seminars in an array of theatres all themselves aligned to specific niche. Future of Threat Intelligence, Disruptive Technologies, Threat Protection to name but three.
All this serves to endorse the fact that Cyber Security is a particularly buoyant sector at the moment, somewhat borne out by the fact that it was awash with freebies, albeit nothing that was truly original. I have a couple of great ideas up my sleeve that no one has yet capitalised on! Watch this space ;)
What stood out for me, was the number of seminars that focused on the more psychological aspects of cyber security. If humans by and large are the weakest link, then we have to find a way of turning them into the solution. Aimless attempts to drum into people that they need to sort out their passwords is a tired and lazy way of addressing the user problem!
Don’t do this and don’t do that seems to be the mantra, a sort of cyber take on ‘project fear’!
Which is why I think ‘social engineering’ could offer a ‘Darwinian’ tipping point, whereby we quickly evolve to a situation where we accept that every communication we receive or request that is made of us needs to be carefully scrutinised before we act?
For whatever reason, we seem to have evolved to become very trusting and compliant where e-communications are concerned. Happily accepting anything proffered to us on line, albeit at odds with being brought up from an early age to never accept sweets from strangers!
Growing up in seventies Britain, I recall road safety was a major issue. It still is, however back then with far fewer cars on the road, accident rates were considerably higher. We learnt the ‘green cross code’, stop, look and listen. Maybe we should adapt the same principal for email, stop, look, think? Is everything really as it seems?
Today’s fraudster is reliant on speed and fear. Speed, in so much as a recipient generally has a whole host of inbound communications to deal with, means that a simple or tempting ‘call to action’ often results in the fraudster getting their desired outcome. Fear manifests itself in the insecurities that come with modern life. What if I don’t do what is asked of me? Could it be career limiting? I better just do it!
The reason I believe that social engineering could be a good thing is because it is a play on the traditional confidence trick. Let’s look at it this way, outside of our industry, does the world at large really understand what a hacker is, how they operate and what it is they are really after? A stereo type persona has been established in our minds, where hackers tend being the guys (it is mostly guys), who will bring down the company network via some form elaborate attack that no one really gets.
Little thought is given to the fact that they are going to route in via a humble email, that could just be opened by little ‘ol me', thinking it was something from my boss? The hacker is akin to the bank robber, something that the average man in the street is never going to have to deal with. Social engineering on the other hand positions the hacker as a petty thief/pick-pocket, something we are much more aware of. We have a much better idea of their modus-operandi and as such know that we, as individuals, have to guard against them.
In summary it’s much easier to get our heads around something that is analogous with daily life and as such adapt our behaviour accordingly. I witnessed some really interesting presentations from amongst others @drjessicabarker, @Sophos, @dansloshberg, @BAESystems_aIl all of which included content that would be well received by any ‘lay’ audience.
The challenge will be to engender caution rather than outright suspicion of everything that we encounter when online. We’ve enjoyed it being ‘free and easy’ for too long, now it’s time for the cyber security industry to stop pedalling fear and start focusing on interesting, insightful and the often amusing anecdotes that expose what is actually happening. In effect how we are all capable of being socially engineered.
A recent study by the Federation of Small Businesses found 66% of its members had fallen victim to some kind of cyber attack in the last two years. Of these attacks the bulk were social engineering scams such as phishing (49%) and spear phishing (37%). The average annual cost to each business was £3,000, a total annual cost to small businesses of £5.26bn.