Cyber Attack Vector… the Human Operating System is 100% Vulnerable

Cyber-attacks are through the roof.   Numbers from the FBI, Verizon Breach Report, The Ponemon Institute and nearly every industry source all agree the number of attacks are dramatically increasing.  We have all heard of Target, Neiman Marcus and so many others.   So the question is….are we becoming more vulnerable?

First we must understand both the source and the cause.   The source is generally considered by most to be generally classified as those ‘hackers’.  Fact is the days of the stereotypical teenage male in his parent’s basement have long since passed.   Hackers today are highly sophisticated and organized and generally fall into one of three categories.   First, organized criminals are out for financial gain, often measured by millions of dollars.  Second are the nation-state actors with the most attention being on Iran, China and Russia.  Just this week a malware attack suspected to be sourced from Iran made a significant splash in the defense world.  Lastly, are the Hacktivists.  These are socially motivated groups that are well organized, sufficiently funded and are motivated by an ideology.  The most commonly known of such group is called Anonymous.  Among hundreds of others, they took credit for bringing down 5 banks in Brazil as a protest when the Brazilian government made cyber intrusions a crime.

Interestingly, the cause of increased cyber-attacks is not a necessarily a technology problem .  Nearly all networks have a firewall that block attacks, an intrusion detection system that tells when someone is trying to break in and any number of other technologies to protect the network and the data.  Of course there is anti-virus (AV) software.   Last week Symantec, arguably one of the largest AV companies in the world made an announcement that AV is ‘dead’, which created quite an uproar.  If you look further into the statement, they clarify that hackers have moved away from the nuisance of virus and worms to malware.  Malware is ‘malicious software’ that is hostile and intrusive.  It can log keystrokes, destroy data, steal passwords, and allow remote control of your systems among other tricks.  But the weakest link for hackers to break may not be technological at all – but human!

The simple fact is that hackers don’t have to break down a door that is willingly opened from the inside.  The Human Operating System is designed to be a helpful, quick moving and often lacks an adequate logic algorithm (people sometimes don’t think).   ‘Phishing’ has become the weapon of choice for the hackers because e-mail must be let into the network to do business.   A cleverly crafted e-mail makes it simple for the hackers to get directly into your company network.  E-mails that seemingly come from the IRS around tax time, or from FedEx or UPS about lost packages during the Holidays will certainly raise the recipient’s heart rate enough to cause them to click.  Gotcha.

People post an inordinate amount of personal data on the internet through social media.  Such postings allow criminals to gather very specific target data about where their intended victim shops, banks,

works-out and many other day to day activities.  This public information makes it easy to create a tailored, specific e-mail to a target, and dramatically increases the likelihood of the ‘Spear Phishing’ e-mail to be opened, and the subsequent payload delivered.

Recently, a specific area was targeted during an impending snow storm.   Hackers were aware of potential school closings in the region and sent out e-mails to targeted victims regarding early dismissal of the schools and emergency instructions on collecting students.  Some emails contained infected spreadsheets claiming to have class rosters.  Some contained infected links in the e-mail text that would take the victim to a seeming legit web site. 

There are end point security technologies that can block some of the more common attacks and the major AV vendors do a good job of keeping up.  Properly installed systems will keep signatures regularly updated and keep most of these attacks from getting to the users, but no technology is available to protect the human operating system from itself.  The issue is only one infected e-mail has to get by the user to be effective.   A 99% score in security is still a fail.

Users of the all types of technology - desktops, tablets smart phones etc. - must be educated regarding cyber-attacks and understand how a simple, uninformed action on their part can cause a company, or an individual, significant loss.   When users understand they are the first line of defense, and are empowered to protect themselves and their company – human operating systems can significantly reduce the threat of cyber-attacks.

Here are some things that you can do to protect yourself and your data:

1. DO NOT click on any links in a scam e-mail (open a browser and go to the site manually)
2. DO NOT supply information of any kind (personal or company) as a result of the email
3. DO NOT reply to a questionable e-mail or attempt to contact the senders in any way.
4. DO NOT supply any information on the bogus website that may appear in your browser if you have clicked a link in the e-mail.
5. DO NOT open any attachments that arrive with the e-mail
6. DELETE the email from your computer as soon as possible
7. REPORT the phishing scam to Department of Homeland Security US Computer Emergency Readiness Team (US-CERT) at: phishing-report@us-cert.gov

“Unfortunately, it is fairly evident that where cyber-attacks are concerned, the water is coming over the wall.”, states Bryant Tow, cyber-security expert at Capco.  “Someone in your organization is going to click on something they are not supposed to.”, he continues.   Simply put, there are two kinds of companies: those that have been infiltrated and those that are not aware of it.   Tow urges, “The best defense is having tactical plans to handle the technology when it does become infected and minimizing the loss.”