In the pantheon of catchy cybersecurity slogans that should never have caught on, two about social engineering spring to mind almost immediately: “End users are the weakest link” and “attackers only have to be lucky once; defenders have to be lucky all the time.” Both of those statements have been repeated by practitioners for time immemorial and seem to make sense superficially, but should we be comfortable with the onus we put on end users to overcome the deficiencies of our defensive systems?
In 2019, with cyberthreats on the rise and breaches increasing in both frequency and magnitude, is it anything other than feigned impotence to claim that a roll of the dice and a potential, stupid (albeit very human) mistake is all that is keeping any given organization from being the next Maersk, Equifax or Capital One? Are we comfortable acknowledging that our defenses are so brittle that they can be shattered with one errant click? We certainly shouldn’t be.
Indeed, even when end users do exactly what they’re told they should, it may still not be enough. It’s hard to forget what is perhaps the most spectacular and consequential example of successful social engineering: The phishing attack on Hillary Clinton’s campaign manager, John Podesta. It was reported that Mr. Podesta thought the official-looking Google password reset email he received was suspicious but the campaign IT department either cleared it or mistyped their reply, causing Mr. Podesta to supply his credentials to state-sponsored attackers. It’s a perfect – but likely not unique – case of someone acting in good faith, performing the actions prescribed by experts, and still becoming a victim.
Take a moment to consider a few explanations as to why attackers target end users for social engineering:
The most commonly proposed remedy for social-engineering attacks is more end-user awareness training. While training is definitely part of the solution, it’s only one of several elements of an effective defense. Other elements include:
In general, the best overall approach might be to start thinking of social-engineering defenses the same way that we’ve been thinking about automobiles and automotive safety for over half a century: Train users to become competent operators, assume that mistakes are unavoidable, supplement the training and capabilities of operators with technologies that make doing the right thing easier and doing the wrong thing harder, and, lastly, implementing additional safety features to eliminate or reduce harmful results during a catastrophic event.
James Plouffe (CISSP) is strategic technologist at MobileIron.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.