Introduction
Almost not a day goes by that I don’t receive a suspicious-looking email asking me to either click on a shortened URL or open an attachment. And I’d bet you do, too.
Why do cyber criminals send spam emails in the hope that someone will click on the link or open the attachment?
Why don’t they attack the public facing web- or mailserver directly?
Social Engineering
If you compare the complexity of enterprise networks and the systems they contain with those of a few decades ago, you’ll notice one thing: they’ve become increasingly complex over the years.
Security solutions are advancing with technology. If Red Teamers or hackers discover a new attack vector, a countermeasure from the Blue Team exists (at best) a few days later
Today, an attacker has a wide range of entry vectors from which to choose. To minimize the effort, the weakest link in the chain is preferably taken: The human being.
There are no metrics (that I know of) by which the level of IT security within organizations can be measured.
“Hey man, what do you mean? We have antivirus software from three different vendors installed on each of our computers. We take that very seriously!” Yeah.. no.
The only metric that can be used to approximate this is the security awareness of the employees within the company.
Security Awareness
Social engineering and phishing (which is a part of social engineering) are the preferred entry vector of attackers par excellence.
A variety of behaviors exist that are exploited by attackers:
- Fear (eg. Blackmailing, Ransomware)
- Helpfulness (eg. Can you please check to see if you can open this document? It does not work for me and I have an assignment tomorrow. :()
- Prejudice (eg. Why the hell did you let this person enter the server room? Well, he was looking like a technician, how could I’ve known?)
- Curiosity (eg. USB-Dropping, surely no one would drop malicious USB-Sticks, right?)
- Automatisms (eg. Getting back from vacation and skimming the contents of mails.)
- Authority (eg. Attackers faking a mail from your boss)
Recommendations for action
For this reason, a company’s employees should be trained periodically (for example, twice a year) in the area of IT security. More precisely: in the area of social engineering.
As an example, the following should be addressed:
- What is social engineering?
- Which behaviors are exploited by attackers.
- What are the dangers?
- Secure handling of sensitive data
- The right way to deal with telephone calls.
We’re living in (almost) 2022. There are no excuses for a lack of security awareness. This is just willful blindness.