Request A Consultation

The Weakest Link: Securing The Human Element From Cyber Attack 

By: Chris Clements, VP of Solutions Architecture

The Problem 

As humans, we tend to trust the people around us in most situations simply by default. We usually don’t assume that the cook in a restaurant will poison our food or that the pharmacist will intentionally swap our medications, and for good reason. One of humanity’s superpowers, which allows all civilization to function, is cooperation. Being suspicious of everyone around you isn’t only exhausting, but it grinds society to a halt. Unfortunately, like many powerful things, defaulting to trust is a double-edged sword that has caused people to fall victim to scams and con men throughout history.

The Weakest Link: Securing The Human Element From Cyberattack Image of author and an arm removing a red wooden person from a set

Before the internet, such cases tended to be limited by a bad actor’s reach — there are only so many doors you can knock on or people you can approach — but the internet allows criminals to reach millions in a matter of seconds. It has spawned its own discipline for exploiting human trust — social engineering.  

The scale on which bad actors can act has magnified the problem. Phishing specifically is the initial attack vector for thousands of cybersecurity compromises every year but isn’t the only form of social engineering. I’ve personally run many social engineering operations on behalf of customers to test the resiliency of their personnel. It’s deceptively easy to gain physical access to sensitive locations by following behind people through secure doors, a technique that’s part of a “physical penetration testing.” Yet another method uses phone calls and text messages. Awkwardly named “vishing” and “smishing,” this has been demonstrated to be WILDLY successful by the LAPSUS$ cybercriminal group in compromising some of the largest and seemingly most secure companies in the world, simply by making calls to their help desk. 

The Solution 

As problems go, social engineering is a difficult one. We want our personnel and coworkers to work together and to have trust in communicating with vendors and customers. However, we don’t want them to fall victim and put the business and its customers at risk. There are several ways organizations can help put their personnel in the best position to identify and respond to social engineering attacks. First, IT departments should use software that filters spam and phishing emails and implement technical controls, which will keep most attacks away from their users. Next, any emails from domains other than the company’s own should be clearly marked as “external” to make identifying impersonation attacks easier.  

Training users themselves to spot social engineering attacks like phishing has been a controversial topic with cybersecurity experts. Some argue that it’s at best a waste of time, at worst a means of eroding personnel trust, and that users will never be able to identify 100% of all attacks. I understand their point, and I have seen some training programs that I do believe are actively harmful. That said, I fundamentally disagree that it isn’t worthwhile. The National Highway Traffic Safety Administration reports that the average driver in the United States will be involved in three to four crashes in his or her lifetime. That means most of us will likely have this unfortunate experience, but that doesn’t mean we shouldn’t be educated on defensive driving best behaviors. Moreover, as averages go, we all know people who have never had an accident and others who seem to be magnets for them. As an organization, being able to identify and focus efforts on training those who seem more “accident prone” with social engineering can bring a nice balance between being a nuisance to safer users and providing adequate training to those who need it most. Beyond training, however, there still needs to be procedures in place for personnel to verify the legitimacy of any communications they receive, regardless of the source. They should know where to send a suspicious email to have it validated (and this process should take minutes, not days, else they will be disinclined to use it), and they should have standard identity verification procedures for any inbound calls or text messages. Finally, make sure that users understand how to report social engineering attacks. Doing so gives you a way to communicate the attack and raise awareness so that others don’t fall victim. Organizations should also want users to feel safe reporting an incident if they do fall victim to an attack so the incident response process can begin immediately. 

Dos and Don’ts  

Do

  • Clearly mark emails from outside the organization as external 
  • Employ personnel verification procedures to validate identity 
  • Train employees on common attacks and scams, and how to respond 
  • Test common attack scenarios such as password reset or fake invoice emails 
  • Update these procedures and retrain as attacks evolve 
  • Clearly mark emails from outside the organization as external 
  • Employ personnel verification procedures to validate identity 
  • Train employees on common attacks and scams, and how to respond 
  • Test common attack scenarios such as password reset or fake invoice emails 
  • Update these procedures and retrain as attacks evolve 

Don’t

  • Train so often it becomes a nuisance 
  • Train so infrequently it isn’t reinforced 
  • Don’t be punitive with users who make mistakes. You want them to feel safe reporting if they think they may have fallen for an attack 
  • Don’t send phishing training promising bonuses, gift cards, or other monetary means. Yes, it’s mean and gross when cyber criminals do it, but it’s mean and gross for you too. 

Want to learn more about cyber awareness training? 


About the Author 

Chris Clements, CISSP, CCSA, CCSE, CCSE+, CCSI, CCNA, CCNP, MCSE, Network+, A+, began working in the information security field in 2001, and has a wide range of experience with information security technologies including: 

  • Firewalls
  • Intrusion Protection Systems (IPS)
  • Intrusion Detection Systems (IDS)
  • Virtual Private Networking (VPN)
  • Anti-Malware
  • Strong Authentication
  • Disk Encryption

Chris is also an expert in information security design, security compliance, and penetration testing (ethical hacking) techniques such as: 

  •  Vulnerability Assessment 
  • Man in the Middle Attacks 
  • SQL Injection 
  • Cross Site Scripting 
  • Phishing 
  • Secure Environment Breakouts 
  • Privilege Escalation 
  • Password interception 
  • Password Cracking 

He has worked to secure hundreds of customers across North America, from Fortune 500 companies with billions in revenue to small businesses with just a few users.  He has developed in-depth security auditing and penetration testing products and service offerings and engaging end-user security awareness programs.  Chris also enjoys teaching and has led courses on information security for hundreds of students.  With his unique skill set and background in both technical operations and business management, Chris has strengths in business management, sales, and product and service delivery.