3 Simple Rules to Avoid Being a Cyber Victim

I think it was Walt Kelly, the famous cartoonist, who said “We have met the enemy and he is us.”  How true that sentiment is when it comes to cyber security, and the Hackers know it.   In spite of the diligent efforts of businesses to secure their networks with the latest and greatest automated technology, employees continue to make mistakes that inevitably lead to successful penetration of their company’s network by hackers.  But all mistakes are not created equally.  

A lot of employees practice poor cyber hygiene and have bad habits when it comes to using the internet.  But to be fair, some fall victim to hackers who use clever tricks to influence bad decisions.  The security industry characterizes these tricks as “social engineering” which is different from what political junkies use to characterize the imposition of social change by a governing authority.  In the cyber security context, social engineering is a non-technical tactic that hackers use to persuade a person to unwittingly reveal information or take an action that gives a hacker access to information.  In the military we call this “influence operations.”

Hackers often use modern phone scams to dupe unsuspecting victims into surrendering their authentication credentials and other valuable information over the phone.  They might send malicious code to a smartphone, also called “smishing”, betting that the victim is unaware of the risks associated with text messages from unfamiliar sources.  They might also revert to the timeless conversational tactics practiced by their analog ancestors, the con artists. But the most prolific form of social engineering is associated with Spear Phishing, a hacker tactic that leverages carefully crafted emails directed at a specific person or group of people.    We’ll talk about Spear Phishing in a little more detail later.

So you may be asking, how do I defend against social engineering?  Well, there are a lot of things we can do but there are three things that everyone can do immediately make ourselves less vulnerable to these types of attacks.  All three are related to email, the most popular attack vector among hackers.

First and foremost, PAY ATTENTION TO YOUR EMAIL! Please excuse my use of capital letters, I’m really not yelling at you as the rules of online etiquette would suggest.  I’m simply emphasizing the absolutely essential need for understanding the risks associated with emails.  Yes, there are inherent risks associated with what should be an incorruptible tool.  It really comes down to three simple rules which will help reduce the likelihood of a successful social engineering attack against you.  Notice I used words like “reduce” and “likelihood?”  That’s my not so subtle disclaimer that nothing we do in the cyber security world is 100% effective.  Stoney’s First Law of Cyber Security clearly states that “it isn’t a question of if your network will be hacked, but when.”  The same principle applies to social engineering.  So here are the rules:

  1. Rule #1:  Think before clicking! Never click on a link embedded in an email regardless of your perceived familiarity with the sender.  If you need to access the web page associated with an embedded hyperlink, copy it and paste it into your browser window.
  2. Rule #2:  Trust your gut!  If you see an email in your queue that appears unfamiliar or suspicious, forward it to your provider, or company spam email account.  Ideally, your company would have a high end email security system (like EdgeWave’s ePrism) to stop the majority of emails as malicious before they get to your inbox.  Remember, Stoney’s First Law says that some malicious emails will get through.
  3. Rule #3:  Do not use “preview” pane in your email program! Hackers figured out a while ago how to execute malicious code when the email in which the code is embedded is opened.  Using the Preview pane could have the same effect as you opening an email.  This effectively eliminates your ability to NOT open suspicious or unfamiliar emails…see Rule #2.

So let’s talk a little more about Spear Phishing.  I’ve always been amazed with the ever evolving cyber security taxonomy.  For the most part, the names we given to hacker tactics and techniques are elegant in their simplicity.  The monikers actually make a lot of sense when you think about them.  Take Phishing and Spear Phishing.  When I think about Phishing, I visualize fishermen casting wide nets intended to catch as many “things” as possible.  Presumably the “things” are fish, but Phishing is indiscriminate so you could catch a old tire or license plate.  On the other hand, Spear Phishing is intended to catch a specific fish, that’s why we use a “spear”…anyway, I digress.  On with our discussion about Spear Phishing.

In my mind, Spear Phishing epitomizes the “targeted attack.”  I say that because in order to execute a Spear Phishing, the hacker needs to do some work.  The hacker actually uses a methodology to shape the attack.  It starts with Reconnaissance.  As a former Naval Officer and war fighter, I have a deep appreciation for how critical reconnaissance is in shaping and executing a successful attack.  When a hacker performs reconnaissance, he will use non-technical and technical methods for gathering as much information about the intended target as possible.  His intention is to piece the information together in order to identify vulnerabilities and determine which vulnerabilities to attack.

I mentioned non-technical and technical reconnaissance.  Non-technical reconnaissance is about gathering publicly available, also called open source, information about a target.  Technical reconnaissance is performed by directing packets at a target, and assessing the replies in order to identify vulnerabilities in the target’s network infrastructure.

Once the Reconnaissance phase is complete the hacker is ready to attack.  He uses information gained through reconnaissance to identify a list of employees at the targeted company.  He crafts an email that spoofs an internal email from a member of the management team to the employees on the list.  The hacker inserts a link that appears to be the address of a website frequently accessed by company employees, and includes a message intended to drive at least one of the email recipients to click.  The hacker makes a subtle change to the website URL hoping that at least one of the victims will fail to notice discrepancy.  The link will connect to a malicious website designed to mimic the real website.  The hacker understands that his chances are very good that at least one of the employees will not follow Rules #1 and #2 by clicking on the email…and the hacker’s bet is a winner!  

One employee clicks on the link and as soon as the malicious website loads on the browser, a malicious script automatically runs, executing exploits of vulnerabilities identified during the Reconnaissance phase.  In a matter of seconds, the hacker has gained access to the employee’s computer establishing a foothold on the company network.  From there the hacker does what hackers do; escalates privileges to the System Administrator level, moves laterally and vertically across the network, looks for and finds valuable data to steal.  Oh by the way…other employees that have their email preview panes enabled, and we know they’re out there, will create additional opportunities for hackers to enter the network…Rule #3!

So there you have it folks.  Three simple rules of email safety that if followed,  will dramatically lower your risk of you and your company becoming cyber victims.  Stay Cyber Safe!

Mike Walls is the Managing Director of Security Operations at EdgeWave. During his time as a captain with the US Navy, he was commander of Task Force 1030 and was directly responsible for the cyberreadiness of more than 300 ships, 4,000 aircraft, and 400,000 Navy personnel. He personally directed forces conducting cyber operations across the global Navy cyberdomain and oversaw development and implementation of cooperative (Blue Team) and non-cooperative (Red Team) cyber readiness assessments across the Navy cyber infrastructure.