The human OS: Overdue for a social engineering patch

It sounds like the operating system that really needs some serious security patches is the human one.

While technology giants like Microsoft, Google and Apple regularly crank out updates, patches and fixes for zero-day vulnerabilities and other threats, the weakest link in the security chain -- the careless or clueless employee -- remains the weakest.

That is in large measure because there is no technology that can prevent someone falling for increasingly sophisticated social engineering attacks. As has been regularly reported during the past year, some of the biggest data breaches in history have been launched by attackers fooling an employee.

And that is despite years of exhortations by experts that worker security awareness training needs to be much more than a perfunctory lecture or PowerPoint presentation once every six months or so.

In a recent flash poll conducted by Dark Reading, more than half of 633 respondents said, "the most dangerous social engineering threat to their organizations was due to a lack of employee awareness."

The latest McAfee Phishing Quiz, which had drawn more than 30,000 participants in 49 countries as of early this month, found that 80% fell for at least one phishing email in the 10-question quiz. Among business users, the best score came from IT and R&D teams -- but their score was just 69% correct in detecting which emails were legitimate and which were phishing.

In short, human hacking continues to be far too easy. Chris Hadnagy, chief human hacker at Social-Engineer, said during a Dark Reading radio interview that, "as you can see from the news, it's (social media attacks) working way too well."

According to Hadnagy there are three major causes for that -- the first two relating to human weaknesses and the third to much-improved attacks.

First, people are programmed to want to help others. "Inherently we want to trust people," he said.

Second, most users are uneducated about security threats. "Companies are not doing a great job at security awareness education that matters to or affects the employee," he said. "Put those two together -- the psychology and the lack of education -- and you have breeding ground for social engineering."

And that makes them even more vulnerable to attackers who have upped their game. "It starts with OSINT (open-source intelligence) or online information gathering," Hadnagy said. "That's the lifeblood of social engineering. Once the information is gathered, it becomes apparent what attack vector will work best."

Theresa Payton, former White House CIO and current CEO of Fortalice Solutions, agrees that OSINT gives attackers far better tools to fool their targets.

"They figure out who the executive team is, the law firm, the names of the corporate servers, current projects, vendor relationships and more," she said. "They use the reconnaissance, which can often be done in less than a day, to create sophisticated social engineering attempts."

Attackers have also almost eliminated one of their most obvious weaknesses. Gone are the days of lousy spelling and grammar that made phishing emails relatively obvious.

"They're using spellcheck, and they hire organizations to proofread their emails," he said. "That was huge indicator in the past."

Finally, there is the rise of "vishing," in which an attacker makes a phone call, posing as someone from another department, to urge an employee to click on a link in an email without checking it thoroughly.

"This means sending the poisoned email to a secretary, and then calling her on the phone to 'confirm she received the email,' under pretense of having to communicate something important to the organization," said Mark Gazit, CEO of ThetaRay, "The adversary will typically stay on the line to make sure the employee launches the attachment."

Gazit said vishing attacks also include sending employees an SMS with a link to a phishing site or a spam message claiming that one of their payment cards has been blocked. "In the process of hastily responding to such a message, the victims end up divulging their banking credentials and PII to the attacker," he said.

The only effective "patch" for this rampant vulnerability, experts say, is better training. And that means changing the prevailing model that they say seems aimed more at "check-the-box" compliance than embedding continuous security awareness in employees.

"Training should not be an "event," Payton said. "We need to move from training to positive reinforcement. Candidly, most of the training we see falls into the 'they snooze, you lose' category of computer-based training."

She recommends creating a "feedback loop" for employees to, "tell us why our security protocols get in the way of doing your job; an emotional trigger, to let us show you how following our advice protects you at work and at home; and offering something more then a compliance exercise."

Hadnagy said effective training has to include "real-world" examples. "We do impersonations during business hours to gain access to the building," he said. "The goal is not to make people look stupid, but to show weak spots and what you need to do to strengthen them."

Gazit also said, "one-time, boot camp-style training for large groups," doesn't work. "These one-off blasts overload employees with information that they don't really relate to, so they tend to forget it as soon as they are back at their desks," he said.

And he agreed with fellow experts that employees need to feel that the training is relevant. "Executives, accountants, administrators and plant workers are not all subject to the same cyber threats, so training must help each group learn how to recognize and handle the specific threats they are most likely to encounter," he said.

Of course, just as is the case with technology, nothing will make an organization bulletproof. But Hadnagy said good training can dramatically lower the risk. He spoke of one company that hired his team two years ago to test their awareness, and 80% of employees clicked on phishing emails, 90% fell victim to vishing and 90% were duped by one of his team members impersonating a person at the help desk.

"We went to town educating them, and then in a later test, which we made more difficult, they shut us down," he said. "We got nowhere."

That, he said, shows how effective good training can be. "Statements like, 'There is no patch for human stupidity' are damaging to the belief we can fix this," he said. "It's not about humans being stupid, but about humans being unaware and uneducated, and having no direction on what to do when attacks occur."