JOHANNESBURG - Last year, the scourge of ransomware dominated the cyber-security landscape - with businesses, governments, public service institutions and individuals paying millions to unlock encrypted files.
Attacks such as NotPetya and WannaCry hijacked computers worldwide and brought major enterprises to their knees.
Today, while ransomware continues to reign as cyber-threat No1, many cyber-security professionals are warning that social engineering presents a greater threat than malware.
Within the context of information security, social engineering refers to insidious persuasion or manipulation of unsuspecting people into divulging confidential information.
Increasingly, savvy hackers use some form of psychological manipulation to trick unsuspecting internet users and employees into handing over data (passwords, financial information, business IP, etc) that has expensive and highly damaging ramifications for the targeted individual or company.
“The effective use of social engineering is already one of the most dangerous weapons in the cyber-criminal’s arsenal, with uses ranging from nation-state attacks - whether financially motivated or politically driven - to attacks on organisations and consumers,” stated Markus Jakobsson, the chief scientist at Agari, in an article posted on infosecurity.
Indeed, as many research papers and articles have already noted, the human factor (that is, human fallibility) represents a massive criminal opportunity, no matter how advanced the security network in question.
According to Jakobsson, Business Email Compromise (BEC) attacks, which impersonate a trusted identity to trick the target into making payments or sharing sensitive information, are "routinely bypassing traditional security measures and costing businesses thousands and even millions of pounds".
Additionally, he notes that Email Account Compromise (EAC), whereby attackers compromise a legitimate email account and use it to evade security and deceive, is even more difficult to stop.
Between October 2013 and December 2016, the FBI recorded 40 203 cases of BEC and EAC around the world, resulting in total exposed losses of $5302890448 (R68.7bn) to businesses.
This only includes reported attacks - and it is believed that many companies prefer not to make their losses known, or in many cases, are unaware of them for years.
“This figure is also set to rise over the coming years as attackers refine their techniques, and a greater number of would-be criminals are drawn to the opportunities that social engineering entail,” warns Agari’s Jakobsson.
Given that the threat landscape has changed so significantly over the past several years, with social engineering and social hacks highlighting the issue of human fallibility, new approaches to IT security must be explored and embraced.
One such approach to emerge is based on the concept of a Zero Trust Network. Traditional network security relies on a secure perimeter - anything inside the perimeter is trusted, and anything outside the perimeter is not.
A zero-trust network treats all traffic as untrusted, restricting access to secure business data and sensitive resources as much as possible to reduce the risk and mitigate the damage of breaches.
Tech behemoth Google, over the past few years, has developed a security model called BeyondCorp. This is a zero-trust, perimeter-less security framework that it uses to secure access for its 61000 employees and their devices.
Without doubt, the zero-trust network model is fast gaining traction within global cyber-security, but it remains out of reach for many smaller and mid-sized organisations. Looking ahead, we are likely to see the zero-trust model implemented in hybrid forms, depending on the nature and size of organisations.
Increasingly, cyber-security experts are realising that they need to take a more predictive - and proactive - approach to combating the ever-evolving threats. Arguably, the major stumbling block is that the whole security industry is always reacting to yesterday's attack.
“That is kind of the mindset the whole industry has - that if you analyse yesterday's attack on someone else, you can help predict and prevent tomorrow's attack on you,” says Darktrace chief executive Nicole Eagan, in an interview with hackernoon.com. “It’s flawed, because the attackers keep changing the attack vector”
With advances in AI, and more specifically, machine learning, Eagan and many others see an opportunity to understand - in real time - what’s going on. Ultimately, AI can be leveraged to recommend actions to take - even if the attack in question has never been seen before. This approach harnesses machine learning to learn the “norm” of any given system, and then consistently runs checks to see if there’s any deviation from that norm
While emerging security concepts and new technology such as AI will play key roles in the fight against cyber-criminals and social engineering, businesses and managers will always need to focus on ongoing education and internal awareness.
It is up to individuals, business leaders and companies to be proactive and ensure they're taking every action possible to guard against social hacking and other online criminal acts.
Brian Timperley is the managing director (MD) and co-founder of Turrito Networks and MD of Dial-a-Nerd.
The views expressed here are not necessarily those of Independent Media.
- BUSINESS REPORT