With the common use of heuristics and especially the advance of Artificial Intelligence (AI) in automated cyber threat mitigation, why do we still need to focus on user cybersecurity awareness?
In cybersecurity, there never was just one solution to reduce risk or fix mitigations. But you always need multiple layers of security. So each layer consists of additional aspects. Software and hardware measures are excellent at catching mass and known threats, with the advance in AI and also the detection of new threats based on known issues. But we can never neglect the human factor as a first, but also the most important line of defense.
I often give the example of driving a car. You can make a car very safe to drive with airbags, ABS, and even some measures with automatic street lane detection and object detection. But even with all the advances in self-driving, at least for now, you still need a human who knows how to drive so that a person can react in new or unexpected situations. This is the same for technology and specifically cybersecurity, therefore users need to have an awareness that we need them to fight cyber threats and crime. So if users know how important they are and how they can help, this can only be our advantage. So give them the knowledge, train them and users can be a first, last, and often also the best line of defense.
What are methods of cyber social engineering and how to identify them?
Social engineering is an age-old tactic to trick people into doing something they do not want to do. So users are tricked by communication, emails, phone, SMS, or videos pretending to be from trusted parties such as banks, colleagues, executives, online payment processors, IT admins, or social websites. So all social engineering attacks have one or more common traits. The scammer will focus on your good nature and human emotions. The criminal will use a false title, a position of authority, for example, as someone you would normally trust, a bank manager, social services, a doctor, etc. and they will try to create an urgency, a time-sensitive situation which will put you under pressure and to act. They may request urgent information, money, or something similar for their criminal gain. So currently the most prevalent social engineering attacks we have seen are via email, voice, SMS, and social messaging.
Social engineering attempts via email are called email phishing or business email compromise. So even with the constant barrage of emails everyone receives, it's normally not difficult to recognize them. Was the email expected? is the first question you should ask yourself. Check from whom this email is. Is the sending domain suspicious or are there some obvious misspellings? Many companies also use technology to insert an external email banner warning to indicate that this email is from outside of their organization. You always should remain suspicious if there is an attachment that asks to enable macros, in office documents mostly, and also be very careful if the email has some information that tries to raise a sense of urgency, "You need to do this immediately", this is always a warning sign.
This is very similar to phone phishing attempts, where criminals may try to lure victims into handing over valuable information. Employee names, title roles, or anything like that. So they will normally call via the switchboard or directly from an unfamiliar number claiming to be a colleague or a well-known vendor, or a third party and create again a sense of urgency with their request. Similar to SMS phishing, people may receive SMS messages asking for a piece of personal information or asking to click on links. This SMS may look legitimate, being from a bank or parcel delivery service or something similar. Always, before clicking or replying, check if this SMS was expected and if the link goes to a legitimate website. And of course, keep your mobile phone updated to avoid security exploits.
How did the increased Working from Home change the cyber threat landscape in the last two years from a user perspective?
Let's start with something outside of the cyber domain, but still related to safety, specifically health and safety. What we have learned in the last two years is that it is important to have an environment at home which enables a safe, healthy, and economical workspace. So this means having sufficient and good lighting, a comfortable and ergonomic chair and the right size desk is much better than sitting on the kitchen table or working from a sofa. But working from home reminded us also to be mindful of who and what is around us when conducting confidential work conversations. So do not discuss confidential information with your IoT devices like Alexa or Google Home nearby, in case they may be listening and sending it to their servers. So, collaboration with your team is very important. It is vital when you are working remotely, but make sure to only use company-approved methods for communication. Don't use any personal or social media apps to discuss work-related topics and of course, the usual advice, upgrade your home network and any personal computers, game consoles, internet-connected TVs, baby monitors, and other IoT devices, and never use a default password. So the security basics also apply at home - or even more at home.
What can we expect from your talk at CSLS 2022?
We have traditionally seen cybersecurity as a domain for technology, with the expectation that solutions for cyber resilience have to be provided by IT. And we happily accepted this challenge and deliver numerous software and hardware solutions, design and development principles, policies, and process controls. However, the most successful cyber attacks in recent times have started with targeting users with phishing emails or other kinds of social engineering, and therefore raising awareness of the users' role in increasing cyber resilience is at least as important as providing just a technical solution. So my presentation will be based on a very famous example, a real robbery in Berlin in the early 19th century showing how user awareness can become an important line of defense in cybersecurity.