In cybersecurity, hacking people is much easier than overcoming advanced technical defenses. Attackers are refining their social engineering techniques, the practice of exploiting people to compromise a system, to deploy their malicious capabilities and do harm. Social engineering continues to be a significant security problem for the industry, even in the face of improving security technologies.
As Sun Tsu stated over two thousand years ago, “It is best to win without fighting”. Why effort overcoming all the technical barriers, when people are the easiest avenue to success? Attackers are smart. They tend to follow the path of least resistance in pursuit of their goals. With ~80% of workers unable to detect the most common and frequently used phishing scams, attackers are winning when they target human behaviors.
Even the most serious investments in security technology can be undermined by poor human behaviors. Making the castle walls tall and thick will be meaningless if the guards at the gate let everyone in. This is exactly why attackers have historically maneuvered to manipulate victims into making bad decisions. In the digital world, it can be as simple as luring an unsuspecting target to click on a malicious link in an email or visit an infected website, which initiates a chain of events to undermine the security and unravel an entire network. It is that easy.
Raj Samani, Intel Security EMEA CTO and Charles McFarland have released a report Hacking the Human Operating System which outlines the challenges to the cybersecurity community. They describe the hunting and farming techniques, discuss the social engineering attack lifecycle, and provide a number of defenses against these types of attacks.
Social engineering attacks are not going away anytime soon. They are evolving to become more effective and represent a significant risk to the security of every person and organization connected to the Internet. Security fundamentals include a combination of both technical and behavioral controls. People are part of the battlefield and can be the greatest weakness or asset. We all must make hacking humans a more difficult proposition for cyber attackers.