Why Humans are the Weakest Link in Cybersecurity
For time immemorial, many have been saying “humans are the weakest link” with a mix of sarcasm and seriousness. While this statement can be traced back much further than the digital age, HAL 9000’s opinions excluded, it can be argued effectively that this axiom rings especially true when dealing with cybersecurity.
Granted, anyone who claims that their security software is 100% secure and bug free should be sharing what they’re smoking, but it’s impossible to deny that the major cause of many recent security breaches has come down to human error, including such practices as bad password management/protocol, and… susceptibility to social engineering tactics. Yes, phone scams are back with a vengeance!
Case in point, as reported by TechRepublic and other reputable sources, Lapsus$ (or DEV-0537 as Microsoft so unimaginatively dubs it) is actively implementing several “old school” types of social engineering schemes, such as phone-based social engineering, SIM-swapping (to facilitate account takeovers), and accessing personal email accounts of targeted companies employees as a way to gain access to their work-related accounts. Here is a brief breakdown of these tactics:
Phone-based Social Engineering
Deviant social engineers (and I say “deviant” because not all social engineering is bad) will call an organization’s help desk and try to persuade the support representative to reset the credentials for a privileged account. To sell what they’re trying to accomplish, the group goes so far as to use previously gathered information about the accounts and uses English-speaking people to talk to the help desk to supposedly ensure trust.
With SIM-swapping, a criminal convinces or even pays off an employee at a mobile carrier to change the victim’s phone number to a SIM card owned by the attacker. Any multi-factor authentication requests are then directed to the hacker’s phone via a call or text, allowing them to take over the victim’s account.
Accessing Personal Accounts
Lapsus$ will compromise someone’s personal or private accounts as a way to gain access to their work-related accounts, knowing that many employees working remotely nowadays use some sort of VPN to access their employer’s network. As employees typically use their personal accounts or numbers as their 2FA or password recovery in this situation, this acquired access can be used to reset passwords and modify account recovery actions.
But wait, Monty — There’s more!
Beyond these social engineering tricks, Lapsus$ carries out more traditional hacking practices in order to gain access to accounts, networks and other sensitive assets.They are known to use the password-stealing malware, known as “Redline”, to search public code repositories for exposed passwords and credentials, and to purchase these as well as tokens from criminal forums and other DarkWeb avenues. Further, Lapsus$ will attempt to exploit security flaws in web-based tools such as Confluence, JIRA and GitLab.
It gets even more greasy, as Lapsus$ actually has the cajones to actively recruit “social engineers” by offering them money. That’s right, they’re hiring! As revealed by KrebsonSecurity, “(Lapsus$) advertised that they wanted to buy credentials for their targets to entice employees or contractors to take part in its operation. For a fee, the willing accomplice must provide their credentials and approve the MFA prompt or have the user install AnyDesk or other remote management software on a corporate workstation allowing the actor to take control of an authenticated system.”
There are easily found examples of Lapsus$ advertisements (which I won’t link to) looking for employees at call centers, mobile carriers and large corporations willing to share VPN or Citrix access to a network for money. This nefarious enticement is evidently enough to make a 45,000+ subscriber base on the LAPSUS$ Telegram channel. Of course, Easy Street is often full of moral potholes. Perhaps it’s best to take a different route.
Having said all that, fingers must also be pointed at cybersecurity companies and platforms that promise such things as hands-off automation processes. As industries rely more and more on automation processes and IT teams to perform day-to-day functions, what is actually going on under the hood — particularly with cyber hygiene — is understood less and less. Set it and forget it. As a result, we end up with a significant portion of people who deal with computers but do not understand their “technical” underpinnings, which in turn makes it easier to trick people into executing something malicious, like giving away credentials to a phishing scheme, etc.
The Most Vulnerable Attack Vectors
Browsing habits and website visits
All Internet activity is monitored by an Internet Service Provider (ISP) and can be hijacked. While there is little consumers can do about attacks at the ISP level, the web pages you visit can also be tracked by cookies. While Cookies aren’t all bad — a necessary evil, if you will, to tailor personal preferences and advertisements — when they add too much detail in the unique identifiers they give hackers a lot to go on. Browser plugins may also track your activity across multiple websites, and a plugin that was once trusted can change to malicious at any time.
Message and email content
In addition to exposing communiques with friends, families, colleagues and co-workers, email accounts are often the backdoor way into other valuable accounts. As central hubs to other online services, cyber criminals try to obtain passwords through credential stuffing, social engineering, or phishing scams in order to hijack other services.
Phone scams have been around since Alexander Graham Bell claimed he invented the telephone. But with today’s isolationism and a craving for real human interaction, this technique is making a huge comeback. Fraudsters will impersonate either employees of a company or institutions to obtain personal information like social and credit card numbers or pretend to be customers in an effort to transfer a number away from the customer and change the 2FA protections. This can allow them access to linked online accounts, etc.
Other targeted areas to be leery of are when making online transactions through vulnerable e-commerce sites (yes, that includes PayPal — be wary of those emails in your inbox that require “immediate attention”) and, perhaps sickest of all, medical records obtained through hospital databases.
What Can We Do?
So, is it your fault you’re not aware of something you don’t even see or are fooled by convincing voices and emails? Well no. And yes. There’s a fine line between accountability and innocent ignorance. And while it’s unrealistic to expect all employees to understand the code and processes that go into protecting an organization’s sensitive data, or keep up with the new tactics and techniques used by cyber criminals, there is some really basic stuff that needs to be taught and implemented to all levels of the working hierarchy as well as the average Joe and Jane.
Below are some of the essential steps that should be understood and implemented across the board; for a detailed breakdown of these processes, here is an excellent article that does more of a deep dive.
- Scrutinize emails — even if it looks legit, take a look for any typos discrepancies, and most importantly, look at the sender’s email address. This is often a dead giveaway.
- Look at the call display on incoming calls. Most, if not all, reputable companies, particularly financial institutions and government institutions, will have their name appear in the display. Though even this can be forged, so if in doubt, call them back on a publicly verifiable number.
- Keep on top of payments and activities so you can identify when a call or email seems out of the ordinary.
- Be vigilant with the information you post and forward on social media sites. Better yet, break the addiction and stop using them.
- Use reputable VPNs to keep your browsing habits private.
- Regularly clear your browsers’ cookie cache.
- Regularly and with haste, update and install security patches and operating system updates
- When dealing with the sending of sensitive personal, professional or financial information online, always look in the address bar for “https://." Many browsers show a closed padlock when this is the case.
- Use the plug-ins that are offered by browsers for detecting tracking activity such as HTTPS Everywhere, NoScript Security Suite, Disconnect, Facebook Container and Privacy Badger. While you’re at it, monitor your extensions and plug-ins list to see if there’s anything installed you don’t recognize.
- DON’T use public, unsecured Wi-Fi, particularly for financial transactions. Set up your mobile device as a mobile Wi-Fi hotspot through your service provider instead.
- ALWAYS enable 2FA or Multi-factor authentication. Be aware of the other security features offered on your devices and use them accordingly.
- Make sure your devices (including IoTs) are locked down! Better to reset a forgotten password than to leave your device open to the world.
- Use encrypted messaging services such as Signal, Telegram and WhatsApp. If you prefer to use messaging apps such as iMessage, turn off the backup option to prevent information being stored in the cloud.
- Only download apps from reputable and platforms and be vigilant with the permissions you allow the app to do.
- AND FINALLY — change all default passwords immediately to something other than PASSWORD123 or other such easily hackable nonsense. The longer, the better, with a mix of numbers, letters and symbols. If you have problems remembering them (as I, admittedly, do) consider a password manager. Of course, you have to remember that password to access it :)
“To err is Human; to forgive: divine.” I’m pretty sure Alexander Pope wasn’t thinking about cyber crime back in 1711 when he coined this, and the forgive part is hard to do when millions are lost and stocks and public trust plummet. So can such a fundamental internal human flaw be fixed? Well no, sadly. But with proper training and a general consensus mindset that takes data theft seriously, it can be curtailed. Assume you will be a victim; it’s a matter of when, not if.
Are we at the point where proper cyber hygiene, cybersecurity training and budgeting for data protection will occur on a tangible level? I guess more pockets need to bleed before it’s taken seriously enough that companies invest proper money into counter-measures and security platform development. Nothing Divine about that, just common sense to save common cents.