When it comes to cyber security, people are the biggest problem. Or, you could make that “problems.”
At least machines or computers will do what we tell them to do – unless somebody else sneaks in and tells them to do something different. People, not so much – even if their intentions are good. They forget, get careless, get fooled or, in some cases, turn malicious.
And there are many different ways to fool them, which is why experts are essentially unanimous that the “human element” is the weakest link in the security chain.
The bad guys know this as well, of course, and with security technology improving, have focused on that weaker link: Instead of hacking the system, they hack the human.
The most common way to do it is through social engineering – tricking people into clicking on a link that appears to be from a legitimate vendor, on a legitimate website or in an email from a “trusted” source.
Indeed, it is social engineering that tends to be the major focus of security awareness training.
Larry Ponemon, chairman and founder of the research firm Ponemon Institute, doesn’t take issue with that. But he contends that organizations and individuals need to focus on “visual hacking” as well.
In a recent blog post, Ponemon even wrote that, “we’ll soon begin to see a profound shift from malicious parties hacking systems to hacking people.”
Other experts, and Ponemon himself, agree that the shift has been under way for some time. Visual hacking is nothing new. It long predates the digital era. David Monahan, research director, security and risk management at Enterprise Management Associates, calls it, “the oldest form of hacking. It has existed since there were three people, something to write on and a secret two of them wanted to keep,” he said. “We usually call it shoulder surfing.”
But most of the warnings about shoulder surfing are aimed at those who use their mobile devices in public places – airports, parks or coffee shops with free WiFi – where hackers try to pick up credentials or other sensitive information simply by looking at an unguarded screen.
Ponemon’s post was more about visual hacking in the office. He wrote of a recent research experiment his company did, sending a white-hat hacker into the offices of eight U.S. companies, under the guise of a temporary or part-time worker.
“(I)n 88% of attempts, the white-hat hacker was able to visually hack sensitive information from a worker’s computer screen or hard copy documents,” he wrote. That information included, “employee contact lists, customer information, corporate financials, employee access and login information, and credentials or information about employees.”
The hackers also succeeded quickly – 63% within a half hour.
In an interview, Ponemon said he does not have statistics on how common that form of visual hacking is, but said the point of the research was to see how easy it would be. And it turned out to be disturbingly easy.
“This is the kind of thing that can happen if you’re not aware of people wandering around where they don’t need to be, like people coming into hospitals looking for people who might be famous celebrities,” he said.
Other experts, while they agree that there is a risk, say this kind of visual hacking is extremely rare.
Lance Spitzner, training director for the SANS Securing the Human Program, said he has taught more than 600 security awareness officers and, “they have never really raised this as a concern, except for classified environments.”
Monahan said the reason it is rare is because it is much more difficult – it involves creating a plausible ruse to get inside a building, and once inside, there is more personal risk to a hacker who is identified.
And since it requires a person on-site, “it does not scale as well as remote and automatable hacking,” he said.
“You can’t collect the same volumes of data as you can with remote hacking,” he said. “Try sitting in someone’s office for 229 days collecting information like a remote attacker or visually recording 60 million data records.”
He added that login information is nearly impossible to get, even if somebody is looking at a screen because, “the vast majority of password fields are masked. They might see it as someone types it or find it on a sticky note but that is still a time consuming effort, so small potatoes. Thousands of people have their credentials compromised daily by malware.”
Ponemon doesn’t dispute any of that, agreeing that visual hacking in an office likely will not yield anything close to the volume of data that a remote advanced persistent threat (APT) attack could collect.
But he said it can be very useful for “surgical,” targeted attacks. “It’s a matter of quantity vs. quality,” he said. “It’s for small amounts of very high-value material.”
Christopher Hadnagy, CEO of Social-Engineer, is one expert who agrees. While it may not be the most common form of hacking, he said it is on the rise, in part because, “some attacks just must occur in person to be successful. Bank heists, art theft, stealing blue prints or physical hardware – all require the attacker to be onsite.” And Hadnagy contends it is not all that difficult. “Why spend 10 years digging a hole under ground if I can spend five minutes walking through the front door?” he said. “It is that mentality that lets the attacker take the risk. The reward outweighs the risk in their mind.”
Indeed, while it may not qualify as a hack, word this week from the Indiana State Medical Association (ISMA) of the "random" theft of a pair of backup hard drives is just one recent example of the threat from those on the inside. The association said the theft meant the private data of 39,090 of its clients may be at risk.
The one thing there is little disagreement about is that the best way to lower the risk is through improving the “security culture” of organizations. Some of that, Ponemon said, can be done through low-tech means like privacy filters for screens and lock boxes for documents. Some of it can be through rewarding employees for spotting security vulnerabilities.
But effective security awareness training is seen as the major key.
Spitzner said human behavior “absolutely” can be changed through training, but won’t be through the traditional “death by PowerPoint” lecture, which was done largely to check a compliance box.
“Marketing has been changing people’s behavior for hundreds of years,” he said. “The problem with us is that training has mostly been done by security professionals, who tend to be some of the worst communicators in the world. It needs to be done by communications professionals.”
Hadnagy added that there is still a great need for more, and better, training. “I can’t tell you how many times people I train don’t even know what a phish is, or a vishing call, or a shoulder surf,” he said. “If they don’t even know, how can they defend? Education is probably the single most important step to protection any company can have.”
Spitzner said if training focuses on how security awareness will benefit not just the company but employees themselves, “then it becomes part of their DNA,” and the failure rate drops from 30 percent to 60 percent to less than 5 percent.
And even those in the 5 percent, he said, tend to recognize what they did immediately, and report it to IT. “That’s almost as good,” he said.