Monday 11 December 2017

The Human Element

There is one attack vector that all users are susceptible to and unfortunately to some degree – always will be. Social Engineering. The mere mention of Social Engineering can cause some CIOs / CISOs / Information Security Heads to begin to shake and tremble and to those who don’t, I would argue, they have not entirely understood the full effect a skilled Social Engineer can impact on their business. Social Engineers rely on the big bag of fluid that is sat behind the computer (otherwise known as the wetware) to make a mistake. Wetware, most commonly known as “people” or to the management among the reader “employees” (or in some cases “minions”) are currently and have been for some time - the biggest headache to security professionals.

It is commonly agreed that effective employee Security Awareness Training is the best answer to Social Engineers. Effective Employee Security Awareness training should raise awareness of this dangerous cyber-attack vector, including the different methods usually employed by a Social Engineer. However, following Security Awareness training how do we assess and test how effective Security Awareness training has been? Can this truly be tested?

Social Engineers will not just attack an employee at work, they will attempt to steal sensitive information no matter the environment. Remember, sensitive information is in the eye of the beholder. It may not relate to just your business, it may be sensitive or personal to your employees. A good Social engineer will use various techniques to maximise disruption to your business which will include targeting your employees when they leave the logical and physical security fortress built for them by your IT Security team and or department. So, in reality, Employee Security Awareness Training asks that the wetware be on the constant lookout, have an uninterrupted vigilance against Social Engineers - which can be tiresome and draining on the employee. Keep in mind that the ultimate aim of any Social Engineer is to get your employee to lower the drawbridge and bypass the security controls of your CIS Security fortress entirely.

Effective employee Security Awareness Training is something that must be entrenched into your employee, almost as part of their behavioural DNA when surfing the internet, using apps, talking on the phone, dealing with email, doing their online shopping, during all digital dealings, without delay, disdain or derision - security must remain at the forefront of their consciousness. Sounds almost impossible, right? Most likely, but it’s said that your best teacher is your last mistake.

In what seems to me now looking back - a past life, I was a JNCO in Her Majesty’s Royal Air Force. As part of the annual RAF competencies I had to keep up to date with including fitness tests and getting gassed once a year (Armed Forces Veterans and Regulars will know the pain…), one element was Human Factor (HF) training. It was a necessity that all MoD personnel were subjected to HF training in an effort to improve Air Safety at MoD bases. It operated on the premise that MoD site supports a system (the MoD uses Defence Aviation Error Management System or DAEMS) which encouraged Airmen to submit ideas to improve safety or own up to mistakes freely, it would change the behaviour within the workforce. The system would highlight issues with policies, procedures or introduce a new way of working to prevent mistakes or even improve an Airman’s environment.

The philosophy behind Human Factors training is this. How much concentration is lost on a particular task if we as human beings are stressed, hungry, (or in my wife’s case - “hangry”) tired, too cold, too hot, etc? The list goes on and on, we are of course - only human. Dr Abraham Maslow published his “Hierarchy of Needs” way back in 1943 and it has been the basis for psychology students since. The logic behind the hierarchy is simple: the essential survival needs in the lowest level of the pyramid must be satisfied before the individual can turn his or her attention to the next level, then the next level must be satisfied before proceeding up; and so on. All the human body’s needs stated on Maslow’s Hierarchy have been proven to affect performance. It is these slips in performance that a skilled Social Engineer will aim to exploit and take full advantage of.

Fig 1 – Maslow’s Hierarchy

An interesting footnote to the hierarchy – in today’s modern world, there is an argument1 that Wi-Fi, mobile phones and social media should be appended to the hierarchy at the very base, at the physiological needs stage. They are being rated as important to humans today as the things we need to exist! Food, water, clothing etc! I’m sure it is in jest, but it does highlight how important a digital life has become and how some employees might be distracted or stressed if their digital existence is under threat.
It occurs to me that HF training could be adapted to Cyber Security. How excellent would it be to have a system that captures and harnesses the Human element? Using a business’s greatest weakness and morphing it into its greatest asset. Instead of having HF to improve Air Safety, have it to improve Cyber Security. Let’s say your MoD Site (your business) decides to develop and introduce a system which allows its Airmen (employees) to submit ideas on how the organisation can improve Cyber Security, their environment and in turn being rewarded for practical ideas that can be implemented. Please note, I am not advocating that this system will not prevent mistakes all together. Albert Einstein once said, “Only two things are infinite, the universe and human stupidity and I’m not sure about the former.”

Nevertheless, it is a step in the right direction. I believe it will (when implemented correctly) allow others to learn from a common blunder, improve policies and procedures and allow your organisation to improve the life of its employees by implementing practical ideas where applicable.
A lynchpin to the whole scheme was that no matter whether an idea submitted could improve Cyber Security or not, the submitter was given feedback. Either “yes - that’s great we can implement that,” or “no, we won’t adopt this idea because of x y z reasons”. The feedback has to be given to allow learning. Feedback will demonstrate to the submitter the reasons why a procedure is designed the way it is, the security reasons behind it.

In implementing HF training with an aim to improve Cyber Security, an understanding must be reached that humans will always make mistakes, but it’s how the entire organisation can learn from one mistake, to prevent future occurrences or even spot improvements to the Security posture from a unique point of view that will prevent a mistake entirely. The bottom line is this – you know your environment, this is an idea which could potentially harness the human element and use it as a force to improve the Cyber Security posture of your organisation.

"All men make mistakes, but only wise men learn from their mistakes”
Winston Churchill


Cyber Criminals set to Reap the benefits of an insecure IoT


Pictured is Her Majesty’s Royal Air Force Remotely Piloted Air System (RPAS) “Reaper”. An impressive feat of technical and mechanical engineering. A true vision that entwines human engineering and intuition. A magnificent demonstration of controlling device hundreds of thousands of miles away to investigate a threat or direct an attack. The reaper stands ready, poised to attack, to swing the scythe at any moment – not unlike the latest Botnet to threaten the Cyber community, also named Reaper.

A Botnet is a collection of Internet Connected devices or Internet of Things (IoT) devices which have been infected with malware. In my previous blogs (Securing the IoT), I mention the IoT and the threats an insecure IoT can bring – Botnets being an increased threat. Reaper is not the first Botnet and by any means, it won’t be the last.

The Mirai Botnet made headlines back in September of 2016 when it deployed a Distributed Denial of Service (DDoS) attack and took down a well-known security researchers website. A DDoS attack is when a plethora of IoT devices direct traffic at one target. The malware scans IoT devices – such as IP cameras, routers, toasters… and attempts to brute force or guess the username and password of a device. Alternatively, the malware was able to spread by the use of external scanners to locate weak devices, then brute forcing the credentials once more.

If an IoT device has a default username and password, the malware can then use Telnet to login and install, turning it into what’s known as a zombie. These zombies are then used to direct large scales of traffic at a target. The attack which took down a security researchers website had a flow of traffic which reached speeds of 620GBps! Later in 2016, internet blackouts were seen in America and Europe due to DDoS attacks aimed at an Internet performance management company - Dyn. Dyn is responsible for providing Domain Naming Services (DNS). For those who are not aware, when you type in an internet address (www.) into your browser, a DNS resolves that “human language” into a language machines can understand – an IP address. In October 2016, a DDoS attack was launched on Dyn which resulted in DNS requests being unable to be processed. Traffic directed at Dyn apparently reached speeds of 1.2TBps, all through using the might of Mirai.

Botnet malware does not render IoT devices unusable though, commonly – unless anti-malware is installed, a user will have no contemplation that their device is actually a zombie, their device will – in most cases, continue to function as normal.

Mirai used to be the weapon of choice available to Cyber Criminals. They would use Mirai to hold websites or infrastructure at ransom, denying their services to the public unless a substantial fee was paid. Alternatively, Mirai has been used to cause confusion and panic while other malware was employed to sneak company Intellectual Property out the back door. That is not to say Mirai is no longer available, it is! But there’s a new Botnet in town which some security researchers dub to be Mirai’s younger bigger brother – Reaper.

Reaper no longer relies on brute forcing an insecure IoT device. Researchers pin the high infection rate of Reaper on its ability to utilise software hacking techniques. This malware is not the booting down doors type – like Mirai, it is the sophisticated targeted lock picker. Reaper apparently has the ability to use and exploit Common Vulnerability Exposures (CVEs) within code, enslaving those systems that have not been patched or securely configured.

Since September 2017, an estimated one million organisations have been scanned but with an unknown, definitive number of devices infected. Research suggests 10,000 devices have already been enslaved, with the Reaper Command and Control (C2) originating in China. The location of course can be forged but what is known is that the size of the botnet is not slowing and Reaper is definitely more sophisticated than Mirai. The fact that Mirai is still useful to Cyber Criminals to effect successful DDoS attacks, who can tell the level of devastation or reward for Cyber Criminals this Botnet may reap.

If anything, this new threat does highlight the importance of patching your devices and changing the default credentials of your systems within your home and business. This will go a long way to help securing our IoT to prevent the spread of this, future and past Botnets.

“You become a changed person when you face the reaper and deny him your soul”
Martha Sweeney, Amazon Best Selling Author