Page 86 - Cyber Defense eMagazine January 2024
P. 86
anybody who has digital processes at the core of their business is a potential ransomware target. Thus,
point number one is to get over the line of thinking that “I’m not a target” because you most certainly are.
Second, social engineering is and will always be an attack vector. By their very nature, our digital systems
demand that human beings interact with them. And as long as there are places where human beings can
interact with systems, human beings can be tricked into providing access to the system. Social
engineering has been going on since before the internet, and the reason it has persisted for decades and
decades is because it consistently works.
How then do we deal with social engineering? For many years, the approach has been training. We do
recommend training, but training is not even remotely sufficient to solve the problem. If it were, these
attacks would not continue to succeed. And no matter how much training people receive, they invariably
make mistakes. They forget, they get distracted, they get taken in by a different flavor of attack that they
are not used to and fall for it.
So, what do you need to do? Your best defense is to take the decision making out of the human being's
hands. If I am supposed to click on a window and put in a username and password, then there are ways
for me to be tricked. There are ways for someone to trick me into putting my username and password in
the wrong place. There are ways for someone to trick me into giving my username and password out to
somebody else.
In a recent published attack, bad actors defeated one-time passwords using deep voice fakes spoofing
the identity of the victim’s internal IT help desk team. When asked for a one-time password the employee
readily gave an OTP to this “internal help desk.” The bad actors then used that one-time password in
conjunction with a stolen credential to steal access to the company’s systems.
To the degree that you can remove the decision making from human beings, you take away the social
engineering angle. Fortunately, such a mechanism has been used for 40 years and has never been
defeated. That mechanism is Public Key Infrastructure, or “PKI.” Employees using known devices—
laptops or mobile devices or workstations that remain at an office—can authenticate their identities
automatically through the use of digital certificates on these devices. No known attack can defeat the
cryptographically unassailable mechanisms that assure these certificates are real and true. And social
engineering attacks to gain access are defeated.
So why would network administrators fail to employ PKI-based authentication? The main reason is
ignorance. They think that username-password is secure, or they erroneously think that multi-factor
authentication (MFA) is a bullet-proof addition. However, every major multi-factor authentication
mechanism can be defeated by a determined, educated, and well-resourced attacker.
Multi-factor authentication leads users to a false sense of security. When you have MFA, you begin to
think that you are beyond attack. In reality, you are beyond attack solely by “spray and pray attackers,”
but you are not beyond attack by an Advanced Persistent Threat (APT). That is a mistake many people
make. They put MFA in place, and they think they have checked a box that they need not think about
again. In reality, well-resourced professional attackers can and do frequently get around it. Taking the
decision making out of human hands as much as you can is what is most needed because the oddities
of how the human brain works are not something that you and I are going to solve in our lifetime.
Cyber Defense eMagazine – January 2024 Edition 86
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
