Enough is enough – 30 years after the advent of the cybersecurity industry we don’t seem to be any safer despite all of the solutions available on the market. Vice asked DefCon attendees the question on everybody’s minds: Why are we still getting hacked? The answer was surprisingly clear. People get hacked because they are people, and people make mistakes. Just one mistake can mean a breach. Though expressed in different ways the acknowledgment that human error may be the biggest factor contributing to a breach was nearly unanimous.
If human error is truly a key vulnerability, then can’t we just train our users to avoid phishing and other potential attacks? Yes, and no. It’s a good idea to train users to recognize potential attacks, learn how to avoid them, and create a protocol for what they should do if they encounter a potential attack. The problem is many attacks are extremely effective at creating scenarios that manipulate users into engaging in a specific behavior even if they think ‘something seems off’. This is done through social engineering that is carefully created to motivate an emotional response from the recipient.
Let’s consider phishing as an example. An Executive Admin (EA) receives an email that appears to be from his boss, the CEO, who is currently traveling on business. The email says “Hey Joe- I need you to help me out with something asap. I lost my corporate credit card and I need to process this payment in the next hour. Please just fill out the payment info on this site for me- my cell phone isn’t getting reception.” Joe, the EA reacts emotionally to the email because it asks for a favor and Joe wants to please his boss, it also feels as though his boss is in trouble and appeals to the need to help. Lastly, the email creates a sense of urgency. The mix of emotions makes Joe more likely to mistakenly send the requested credit card details. The ability to create the sense of urgency creates a bypass where Joe would normally take time to consider if this feels like a normal request and instead creates an impulsive and emotional reaction. That’s when a breach happens and that’s how breaches will continue to happen because social engineering is so effective.
The reptilian brain, responsible for human survival (and fight or flight) mechanisms and impulsive behavior is strong, often stronger than logic. So, if we want to stop breaches, our security needs to be built for people, given that humans are prone to error. And we’re getting there as an industry- over the last few years, we’ve seen a rise in solutions built on the zero-trust model, a model that assumes everything is a threat. While that sounds harsh, even the most well-meaning user can be a corporate vulnerability under the right circumstances. By implementing a zero-trust strategy you implement a strategy that never gives trust to anything without verification, eliminating breaches caused human error.
DefCon attendees should know best. It is, after all, one of the largest hacker conferences in the world. So perhaps it’s time to consider a strategy engineered to protect against this key vulnerability.
To learn more about how Isla protects against the critical categories of web, email, document, phishing, and credential theft attacks visit us at www.cyberinc.com.