Cyber Security and Human Vulnerability
By TorchStone VP, Scott Stewart
In today’s ultra-connected world, all organizations face the constant and persistent threat of cyber attacks. In the United States alone in 2021, there were 847,376 complaints made to the FBI of cybercrime, resulting in losses of over $6.9 billion.
This was a seven percent increase over the previous record of 791,790 complaints set in 2020.
While there are many motives for cyber attacks—including terrorism, hacktivism, and intelligence gathering by hostile governments and competitors—general crime is the most common reason businesses suffer breaches.
FBI figures also reveal that attackers primarily utilize ransomware or business email compromise schemes to improperly gain access to money or valuable personal or proprietary information.
While a lot of attention is paid to “zero-day” exploits, they are rarely encountered, and then only by extremely sophisticated actors.
The same is true of technical hacks exploiting system vulnerabilities. If software is properly configured and kept patched, it is rare for a system to be compromised.
Tech’s Achilles Heel
When we examine data from the FBI about the types of attacks reported, it quickly becomes evident that it is not the systems being targeted most frequently—it is the people operating the machines.
In 2021 the FBI recorded 323,972 cases of phishing/vishing/smishing (fraudulent emails, phone calls, and/or texts), etc., as opposed to only 979 computer intrusions.
There were also tens of thousands of other cybercrimes that targeted humans such as romance scams, investment fraud, tech support schemes, employment scams, business email compromises, and many others.
This is not to say that technical intrusions are not a threat that should be guarded against.
However, as technical security gets better, humans quickly become seen as the weakest link in the cyber security chain.
Humans with access to information systems have always been in the crosshairs of those seeking access to the information transmitted over or stored in those systems.
While cryptography has always been an important facet of espionage, it is often easier to steal a code than it is to break it.
Therefore, couriers and code clerks have been targeted by espionage operations for as long as coded messages have been written and sent.
Human-centric targeting has continued as the telegram, radio, telephone, satellites, and eventually, computers were adopted as channels for confidential communication.
People who once primarily used technical skills to make free long-distance telephone calls (phreakers) have evolved into bad actors who take advantage of modern communications and use social engineering as a hacking technique.
The most common attack methods used, such as phishing and smishing, are really just social engineering conducted via email or text rather than over the phone or in person.
These days there are far fewer people writing code for hacking tools than people using them.
The vast majority of cybercrimes reported to the FBI rely on some form of social engineering attack instead.
Most hackers who use social engineering are better thought of as confidence tricksters rather than as coders writing malware.
There are many different approaches to conducting a social engineering attack, and social engineers have become adept at exploiting human nature, social norms, and respect for authority in their efforts to get people to comply with their requests for information.
Their continued ability to successfully use social engineering techniques—even after all the warnings and training conducted to help defeat them—shows how creative and adaptable they remain.
Not all human threats to cyber security involve unwitting victims duped by clever social engineers. Malicious insiders also pose a significant threat.
Sometimes these insiders are self-motivated and steal data to enrich themselves, expose a wrong, or damage the organization to exact revenge for some real or perceived grievance.
Today’s technology makes it easy for someone to walk out the door carrying a large amount of data.
A 32-gigabyte thumb drive can hold over 60,000–100-page Microsoft Word documents, and external hosting sites such as Dropbox can hold many times that amount of information.
That’s a far cry from the days of smuggling a paper document out of the office in one’s undergarments.
Ideology can also motivate some insider threat actors.
Such insiders could become opposed to some aspect of the company or organization during their employment, while others intentionally infiltrate an organization to cause harm.
The massive data dumps perpetrated by Edward Snowden and Chelsea Manning are good examples of ideologically motivated insiders.
Financially motivated insiders are far more common than ideological insiders.
They can either decide to steal proprietary information while employed or join the organization with the intent of stealing sensitive and lucrative information.
There have been many cases of employees trying to sell proprietary information for personal gain or giving that information to a competitor in exchange for a job.
Many insiders are self-motivated by greed, but they can also be recruited by hostile actors.
The Government of China has created the Thousand Talents Program with the specific intention of recruiting people with access to sensitive proprietary information.
It is often easy for a hostile actor to recruit an insider in most companies using common human intelligence approaches such as money, ideology, compromise (such as sex), or ego.
Quite often, it is a combination of those factors that facilitates the recruitment, like the case of a Serbian engineer who sold the industrial secrets of his employer, AMSC to a Chinese company.
The engineer felt slighted by AMSC (ego) and was offered a lucrative financial package by the Chinese company (money), plus promised ample sex with his soon-to-be Chinese co-workers (compromise).
Ultimately, the engineer’s betrayal cost AMSC hundreds of millions of dollars.
In addition to stealing proprietary information, a recruited cyber insider could also provide access to networks, provide information that could be used to craft targeted spear-phishing attempts, or install malware.
An example of this occurred in 2013 when a Chinese intelligence officer recruited an employee of the French Aerospace company Safran and tasked the employee to insert malware into Safran’s computer network by placing an infected thumb drive into a company computer.
Cyber attacks can also involve physical intrusions as in the case of the August 2017 black bag attack against the Raynham, MA, headquarters of Medrobotics by a Chinese agent.
The intruder tailgated into the headquarters building and was found in a conference room after hours in possession of two laptop computers, an iPad, two portable hard drives, 10 cell phone SIM cards, two flash drives, and two digital video cameras.
It is believed he was attempting to hack into the company’s network using their visitor’s wireless LAN.
Unfortunately, in many organizations, the emphasis of security programs is focused on protecting against technical attacks, and aside from some phishing training, rarely focuses much attention on combatting other forms of human-targeted hacking.
Cyber security is often considered to be an information system problem that only technical personnel can address and thus exclusively the responsibility of the Chief Information Security Officer (CISO).
But as cyber attacks can emanate from many different vectors, the threat they pose necessitates they be addressed in a holistic manner.
Chief information security officers must work closely with chief security officers, human resources, legal counsel, people managers, and others if they hope to protect their companies from the array of human-targeted cyber threats.
Ultimately, protecting against human-targeted cyber attacks is only possible with a well-informed workforce, and by employing a coordinated effort across the entire company.