How to Protect Against Human Vulnerabilities in Your Security Program

When it comes to cybersecurity, no doubt humans are the weakest link. No matter how many layers are added to your security stack, nor how much phishing education and awareness training you do, threat actors continue to develop more sophisticated ways to exploit the human vulnerabilities with socially engineered attacks. In fact, as security defenses keep improving, hackers are compelled to develop more clever and convincing ways to exploit the human attack surface to gain access to sensitive assets.

The prime manner for exploiting human vulnerabilities is via phishing, which is the cause of over 90% of breaches. Phishing attacks continue to occur in email. However, improved defenses and employee awareness around phishing emails has caused hackers to use additional attack vectors, including ads, pop-ups, instant messaging, social media, rogue browser extensions and freeware. Phishing attacks are moving in droves to these web-based tactics where users’ guards are down, deploying all manner of techniques to target human weakness. In the end, it doesn’t matter which attack vector is used to get through to your employees. What matters is whether they “take the bait” by clicking on the link and what happens next.

According to Webroot, 95% of web-based attacks now use social engineering to trick users. And the methods that they use are becoming increasingly sophisticated, in large part because users are getting trained to recognize security risks, as well as owing to improvements in network, application and browser security. A key challenge with the phishing threat landscape is short-lived attacks. Most phishing websites hook users within hours of going live and are quickly taken down and move to another URL. Attacks appear and move faster than most organizations’ defenses can be updated to block them. To strengthen defenses against this new threat landscape, organizations must evolve how they plan and implement their defenses against these more sophisticated socially engineered attacks.

New Methods to Tackle the Phishing Problem

Traditional security defenses and employee training are proving insufficient to guard against today’s more sophisticated, short-lived attacks that prey on human nature. The problem is that many traditional technologies such as antivirus controls, sandboxes, secure email and web gateways and next-gen firewalls were designed to protect against attacks directly targeting the network, such as detecting the use of malicious binaries, Exe’s, and early browser exploits. But attackers have moved on and are now targeting users directly with more sophisticated attacks that bypass defenses to get a link in front of their intended victims.

New kinds of strategies are required to deal with these web-based phishing attacks that target employees. What is needed is a combination of employee awareness training, secure email and Web gateways, URL filtration, and now real-time phishing site detection to catch live, previously unknown attacks so they can be automatically blocked by existing infrastructure. Blocking attacks at the start of the kill chain is critically important to stop further damage and breaches.

Because modern phishing attacks target human vulnerabilities, a system is required that can take human vulnerabilities into account. Humans have the ability to visually inspect things, read text, apply context to a situation, and learn from experience by remembering what has happened in the past. To detect active phishing websites, the security controls must mimic this behavior, replicating the capabilities of human intuition, particularly that of highly trained cybersecurity researchers. The system must be capable of analyzing, predicting and blocking cyber threats through self-learning capabilities, honed through analysis of millions of phishing attacks, to determine whether the behavior being seen in a new attack is malicious or not. When it’s determined to be malicious, it must be blocked quickly and automatically, before it can impact users, their machines, or the network.

People are the weakest link in cybersecurity, the last and most fruitful attack surface for cybercriminals. Phishing attack vectors are expanding widely beyond email with ever more convincing phishing websites and tricks to deceive users with their guards down, deploying all manner of techniques to target inherent weaknesses. The good news is that new technologies with real-time phishing detection are becoming available to address this situation, and every organization should take note.

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.

Atif Mushtaq has spent most of his career on the front lines of the war against cybercrime. Before founding SlashNext, he spent nine years as a senior scientist at FireEye where he was one of the main architects of its core malware detection system. Mushtaq has worked with law enforcement and other global agencies to take down some of the world’s biggest malware networks including Rustock, Srizbi, Pushdo and Grum botnets.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.