Today I received an email. Like most of you I receive dozens of emails every day, but this one was different – and it proves my point – People Are Security Flaws. How do we upgrade them?
I have been working in and around the IT security market for many years now. Companies spend millions on all sorts of excellent technology, from full proxy servers to anti-virus on the PC. It’s a multi-billion dollar industry and it’s a never ending story, a sort of Groundhog Day for technology users.
Of course, you have heard of the recent Tesco Bank breach; that along with many other such as Target are more and more perpetrated by criminals who are using what is known as ‘social engineering’. This is where users are conned into giving away information, perhaps they think the email they are responding to is from a colleague or internal authoritative source. It is called ‘phishing’ or ‘spear-fishing’. It is the people factor that shows the most vulnerability to deception.
In a way, criminals changing tack from attacking systems directly to attacking users means that the systems are often too strong against all but the most capable hackers. It’s good news of a sort.
People Are Security Flaws – How?
Let’s return to the email I mentioned at the top of the article. It was a third hand email, its origin twice removed from me. It was one of those change.org emails – well-intentioned certainly but it also opened up a door so that if I had been a social engineering hacker it would have supplied me with plenty of ammunition to gain the trust of this particular local government office.
Here’s what happened:
The email was sent to approximately 30 people within the organisation. It was a change.org petition that required as many people to sign it as possible – you know the story. One of the 30 people then sent it to a friend outside the main departmental ‘circle of trust’, who promptly sent it to me. This is often not a problem but the originator of the email had not been trained in the use of their email system. This is an all too common problem – an assumption is always made about people’s ability to use email properly.
Without the right training this person added an email group into the ‘To’ field. No problem so far, but as soon as someone forwarded it to someone else the list was printed out in full with names and email addresses within the email. Of course the forwarder could have deleted the list but probably didn’t see it. By the time the next person received it the list was below the bottom of the screen and out of sight. The email was then forwarded complete with the departmental make-up. Fortunately the email arrived at my PC where it has stopped.
The problem is that with 30 recipients and a good cause I wouldn’t be surprised if several of the group had passed the email on to friends and relatives! After that the numbers increase exponentially until it lands on someone’s PC who isn’t as security conscious as me.
What Could Happen Now?
The next step, assuming one copy ends up on the wrong desk is that they could start emailing people within the department as if they are from one of the colleagues in the list. They can start requesting information that should reside within the department – and why shouldn’t the colleague respond? The email returns can be spoofed to go outside the business or organisation. This is called ‘spear-phishing’.
On top of this the person can start to build a profile of the people they found in the email. The name linked to the place of work can lead to private information on social media, building a bigger picture. Combine this with a date of birth and the perpetrator will begin to attempt to open bank accounts, take out loans and all sorts of other things you won’t know about until it’s too late. Then your credit rating dives and you can’t get that loan you desperately need.
And yes, I am trying to frighten you! I bet most of the people reading this have really easy passwords they think won’t be guessed. Most passwords can be broken within 2.5 seconds, even if it isn’t ‘password’ or ‘123456’. If you want to know more about how to develop a memorable yet strong password, click here.
In conclusion, the best way to fight ‘social engineering’ attacks is through education, training users to recognise something out of the ordinary, how to look for the things that are wrong with criminal emails. Until organisations take this up seriously, then it doesn’t really matter how much they spend on technology, there will always be a back door into the business. People Are Security Flaws because business enables them through inactivity.