Exploiting the Human – Why Social Cyber-attacks Work


Antti Kurittu who is Senior Specialist at FICORA NCSC-FI (Finnish National Cert) spoke at our previous Enterprise Cyber Security Europe conference on 19 September 2018 in Amsterdam on the topic of social engineering.

Kurittu’s presentation, which is summarised over on his blog (see here), covered a number of themes which can be summarised below.

1. We know very little about the real extent of cybercrime.

We have very little information on how much there is of it, who is doing the crime and from where. We know some answers to these questions sometimes, but the bigger picture is elusive. If we look at the crime statistics, we can let out a partial sigh of relief, since the amount of cybercrime reported to the police seems like something we can actually deal with. But you can multiply that number by a thousand to account for the detected but unreported cases and then multiply that number by a thousand to get an estimate of how many cases go wholly undetected. 

2. Social engineering techniques are very common.

There are a lot of good reasons for criminals to focus their efforts on exploiting the user instead of exploiting computer systems directly – it’s a lot easier, and when succesful, they can gain access to systems with legitimate credentials. Our brain’s “software” is really hard to upgrade, and how our minds work is still very opaque to us. Humans are just starting to figure out how human minds work, and the field of psychology gains new insights every day.

3. Susceptibility to social engineering varies but it is difficult to make generalisable conclusions.

With the knowledge that the attackers use common psychological tricks, it can be postulated that some individuals are more at risk than others. The studies hint at this with finding on personality features playing a role in individual risk profile, but currently it is not reasonable to try to use the findings to single out high-risk individuals.

4. There are two routes to persuading individuals to compromise their accounts or credentials – and both of them play on emotions, appealing to our sense of avarice, and eliciting fear and panic. 

The two methods of extracting compliance described are the central route of persuasion and peripheral route of persuasion.

5. Organisations can combat phishing through 2-factor authentication and continuous, relentless awareness building.

The way to combat against it is relentless education and detection methods inside your organization, and of course, rolling out two-factor authentication, which will stop a phisher dead in their tracks. There are, of course, ways to work around two-factor authentication protections, but opportunistic attacks targeting hundreds of thousands of users simultaneously are more common and they usually won’t bother phishing your expiring token to exploit in real time.

Join us for our next Enterprise Cyber Security conference in London on 11 October 2018, during cyber security month, when we bring together hundreds of cyber practitioners to discuss the latest trends and developments in this space.

Register at www.whitehallmedia.co.uk/ecs.