Individual holding a flash drive. Photo Credit: Wikimedia Commons.
Popular imagination envisions hackers as shadowy figures in dark rooms hunched over computers running thousands of lines of code as they attempt to brute force their way into target networks and systems. But the reality is that hacking is not often about “brute force.” Instead, whether it is script kiddies playing with new cyber toys or nation-state sponsored Advanced Persistent Threats (APTs) chasing after government secrets, cyberattackers exploit the greatest and most vulnerable part of any information technology system: the human being in front of the screen. Human beings represent one of the greatest weaknesses to the cybersecurity of their systems and prove highly vulnerable to psychological manipulation–social engineering–in ways that enable a cyber threat actor to easily gain access to targets’ secure systems. While powerful malware and advanced hacking skills significantly bolster any cyber actor’s capabilities, it is ultimately humans that represent an unpatchable exploit in cybersecurity.
Social Engineering and Cyber
Social engineering is defined as “the art of gaining access to buildings, systems or data by exploiting human psychology.”[i] Since the Greeks penetrated the walls of Troy using a hollow wooden horse full of soldiers, human biases have provided a fertile target for manipulation. Today, cyberattacks rely on a wide range of social engineering techniques, from subcategories of phishing–”unsolicited email, text messages, and telephone calls purportedly from a legitimate company requesting personal, financial, and/or login credentials”–to the strategic placement of devices such as flash drives or USB charging outlets that upload malware or access data without the user’s knowledge.[ii]
Nation-state attackers have employed social engineering to gain access to classified or confidential American (and foreign) government information. In 2010, a seemingly innocuous USB flash drive, left in a parking lot, found its way into a Department of Defense laptop on a base in the Middle East. That flash drive proved to be anything but innocent. Once connected to the government device, it began uploading and spreading malicious code throughout the DoD’s classified networks in what became known to the DoD as Operation Buckshot Yankee. The attack leveraged an average human being who unwittingly saw the storage device on the ground and decided to insert it into his or her machine.[iii]
In the leadup to the highly contentious 2016 US presidential election, cyber actors under Russian military intelligence—the GRU—gained initial access to the email servers of the Democratic National Convention (DNC) through the employment of spearphishing emails. The access these attacks provided would ultimately lead to the theft of emails and data, which were later weaponized as part of Russia’s disinformation campaigns targeting the American public during the election.[iv] A recent poll of federal information technology decisionmakers highlights the challenge government leadership sees from the human factor. The poll revealed that 56% of respondents believe careless or untrained users to be their greatest security threat. The survey further cited careless insider breaches from government employees and contractors as the primary reason individuals end up “accidentally exposing… critical data.”[v]
Nation-states are not the only victims. Businesses and even private individuals can also fall victim to human hacking. Malicious phishing emails claiming to be friends, colleagues, supervisors, or Nigerian princes hoodwink people into giving away tens of millions every year.[vi] One of the largest and most damaging hacks ever—the compromise of nearly three billion Yahoo email accounts by threat actors working on behalf of the Russian FSB—has its roots in intrusions enabled by employees clicking on target-specific phishing emails, a practice known as spearphishing.[vii] Even major network security companies, such as RSA (formerly RSA Security), have suffered breaches due to spearphishing attacks. In 2011, for example, RSA witnessed the theft of as many as forty million client employee records. And the FBI reported that in just 2017, private citizens in the United States lost more than $30 million as a result of phishing schemes, with more than twenty-five thousand victims.[viii]
Mitigating the Risk
Ultimately, human error and the impact of social engineering can never be eliminated. But while people cannot be patched like software vulnerabilities, both government and the private sector aim to mitigate the risks associated with the human vulnerability. Through measures such as regular cybersecurity training, users may become more aware of their vulnerabilities and potential manipulation by exploitative cyber actors. The impact of cybersecurity is well-studied, so it is fair to say these measures improve the ability and security of government agencies and the private sector. These types of initiatives can also reduce the massive amounts of money stolen each year by cyber criminals.
training that incorporates the latest social engineering tactics can help
employees assess their understanding of the threats and improve organizations’
understanding of their human vulnerabilities. In addition to training, the use
of technical means and policies–such as the US government’s decision to disable
all USB ports on government computers in the wake of Buckshot Yankee or the
application of Data Loss Prevention (DLP) scanners to ensure confidential
information is not sent to attackers–further bolsters efforts to mitigate the
cyber risk posed by individuals. Establishing policies of access controls
around sensitive data can also limit the ability of cyberattackers to capitalize
on their initial success by partitioning sensitive data, thus diminishing the
impact of a breach. While imperfect, taking steps to mitigate the risk posed by
human beings in cybersecurity can help reduce, though never wholly solve, the
cybersecurity problem that people pose.
[i] George V. Hulme and Joan Goodchild, “What is social engineering? 3 ways criminals exploit human behavior,” CSO, August 3, 2017. https://www.csoonline.com/article/2124681/what-is-social-engineering.html.
[ii] The US Department of Justice, Federal Bureau of Investigation, the Internet Crime Complaint Center, 2017 Internet Crime Report, available at https://pdf.ic3.gov/2017_IC3Report.pdf, page 29; Jason Fitzpatrick, “What Is “Juice Jacking”, and Should I Avoid Public Phone Chargers?” How-To Geek, September 22, 2016. https://www.howtogeek.com/166497/htg-explains-what-is-juice-jacking-and-how-worried-should-you-be/.
[iii] William J. Lynn III, “Defending a New Domain: The Pentagon’s Cyberstrategy,” Foreign Affairs, September/October 2010 Issue. https://www.foreignaffairs.com/articles/united-states/2010-09-01/defending-new-domain.
[iv] Lance Cottrell, “The DNC Hacker Indictment: A Lesson in Failed Misattribution,” Security Week, October 4, 2018. https://www.securityweek.com/dnc-hacker-indictment-lesson-failed-misattribution; Dmitri Alperovitch, “Bears in the Midst: Intrusion into the Democratic National Committee,” CrowdStrike Blog, June 15, 2016. https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/.
[v] Brandi Vincent, “Survey: Cybersecurity Threats from Careless Insiders and Foreign Governments Reach All-Time Highs,” NextGov, March 5, 2019. https://www.nextgov.com/cybersecurity/2019/03/survey-cybersecurity-threats-careless-insiders-and-foreign-governments-reach-all-time-highs/155301/.
[vi] Lee Mathews, “Phishing Scams Cost American Businesses Half A Billion Dollars A Year,” Forbes, May 5, 2017. https://www.forbes.com/sites/leemathews/2017/05/05/phishing-scams-cost-american-businesses-half-a-billion-dollars-a-year/#5ab24b353fa1.
[vii] Martyn Williams, “Inside the Russian hack of Yahoo: How they did it,” CSO, October 24, 2017. https://www.csoonline.com/article/3180762/inside-the-russian-hack-of-yahoo-how-they-did-it.html.
[viii] FBI 2017 Internet Crime Report, pages 20, 21.