People travel from all over the world to hear one of the world’s highest profile ethical hackers, Jamie Woodruff speak, and listening to him at our recent event for digital agencies with BIMA, it didn’t take long to work out why.
Jamie made his name, in part, from showing vulnerabilities in Kim Kardashian’s website – and hacking Facebook, Twitter and Bloomberg in six minutes.
In this blog, I’m going to zero in one of Jamie’s main messages, which was on the critical impact of the ‘human factor’, how it can leave businesses weak and exposed, but also when it comes to keeping people safe.
Quick recap – what’s social engineering?
In his work as a fully authorised, ethical penetration tester, Jamie’s an expert in the art of manipulation for information, or ‘social engineering’. At the heart of many ‘cyber attacks’ are human elements and interactions that rely on minimal technological interventions.
Social engineering techniques to manipulate people into performing actions or divulging confidential information are based on cognitive biases, also known as ‘bugs in human hardware’. These include things like loss-aversion bias, where people prefer to avoid losses instead of acquiring gains and hyperbolic discounting – the tendency for people to want an immediate payoff rather than a larger gain later.
A cognitive bias Jamie often exploits in his work is stereotyping…
Beware of your personal biases
Too often, it’s an employee’s inability to see through a disguise (Jamie will often pose as a pizza delivery or FedEx guy) which allows him to infiltrate businesses, and could, consequently be responsible for breaches.
Jamie warned against assuming your attacker is “a Warlock in his mum’s basement …or teenage kids in hoodies drinking Red Bull. It could be the guy in the suit – a disgruntled ex-employee up for corporate distortion.” He argues compromises are happening daily because of stereotyping.
Jamie went on to give a chilling account of a company he’d been asked to investigate. An unhappy and low-ranking former employee of one company had risen to become a senior exec at a rival. Why? They’d set up an FTP account and taken all their former employer’s schematics. This company had gone through their servers and databases, checked all entry points but didn’t bank on a single, unassuming, individual being capable of causing $30m in damages, the ultimate cost of the breach.
In case delegates weren’t alarmed enough, Jamie also demonstrated how everyday fraudsters can use free apps to call your phone with a fake caller ID and access transaction histories from your credit card. I think it’s fair to say many were stunned at just how vulnerable we can be in our day-to-day lives through simple technologies.
Jamie told digital agency delegates that outside the UK there are entire businesses setup for the sole purpose of compromising other companies – because data is more valuable than currency.
Like the organisations you or I work for, these criminal set-ups have targets and KPIs they need to achieve. In other words, a professional structure where attacks are judged on ROI. The trick in this human framework is to make sure these people see their time is better spent targeting someone else.
Part of this has to be about making sure your technology, risk and governance ‘ducks’ are in a row. Jamie spoke about a nuclear power plant – showing live web cam footage that allowed you to read individual employees’ security passes. Another example was the business whose coffee machines were hijacked by ransomware and spewed out coffee whilst displaying demands for payment, because there was no isolated network. Finally, there was the airport forced to show flight times on hand-drawn white boards after hackers infiltrated this part of national infrastructure because it was “10 years behind on patching”.
But when you’re trying to combat human adversaries, it’s going to take the human touch to keep winning.
Human detection as the new normal
Jamie’s top piece of advice in his Q&A was “The human element is really important. Put a pot of money aside to educate people. They’ll always be the first and last line of defence. Focus on humans and technology.”
The old concept of ‘building a wall’ to secure the perimeter prevails in the world of cyber security, but it’s been shown to be outmoded, as is the notion technology alone can prevent attackers from exploiting vulnerabilities. As Jamie said, “They’ll always find a way in.”
This means we must accept proactive stances, taking the fight to the attacker is the new normal. Use experienced people to look for indications an attack is about to take place, and permanently assume the defensive perimeter may have been compromised.
This means proactive monitoring and detection services, round-the-clock rapid response and remediation, backup and disaster recovery support. The services we provide here at Rackspace emphasise enabling the business and minimising impact. Using human-enriched technologies and daily cyber-hunting missions to spot suspicious activities before they escalate into attacks.
I got the feeling that many digital agencies at the BIMA event wanted more education and support on keeping their businesses, and their clients’ data, safe. That’s where we can partner-up, providing threat reports specific to your industry, as well as end-user security training and help on how to use and promote this.
Ultimately, this is all about lowering ROI for the attacker, making it harder for them to reach their goals.