Successfully fighting social engineering attacks requires changing behaviors AND knowing what is running within your applications (AT ALL TIMES)

In a recent article noted Cybersecurity consultant Roger Grimes made clear that “Social Engineering Is the Number One Cybersecurity Problem by Far.”

Along with sharing evidence that social engineering attacks are overwhelmingly the origin of security breaches, Mr. Grimes argued for the absolute need to educate everyone in your organization about the problem, the attackers’ methods, and the ways to recognize them.

Grimes’ solution

“Teach yourself, your coworkers, your friends, your family, how to recognize social engineering scams and how to treat them (e.g, ignore, delete, report, etc.). Because social engineering can happen from almost any angle, you must teach everyone to have a healthy level of skepticism, especially with new messages.”

He went on to write “we strongly recommend training everyone with lots of examples of different types of social engineering. The more examples and types of social engineering they are exposed to, the less likely they are to be scammed by a malicious actor. The key is education, education, education. Do not let the scammer be the only one introducing scams to your coworkers and friends.”

In another article, Mr. Grimes went further and asked why the federal government, specifically CISA, gives short shrift to educating people to recognize social engineering attacks while highlighting and prioritizing the need for organizations to defend themselves through other means, specifically by:

1. Securing RDP ports (network access over an encrypted channel),
2. Prioritizing the remediation of known exploited vulnerabilities (patching), and
3. Implementing EDR solutions to disrupt threat actor memory allocation techniques (stop the ability for malware to hide, launch and run from within the opaque space of application memory).

Is employee education “enough” to combat the growing capabilities of social engineering attackers?

Mr. Grimes and others are right to focus attention on the size and scope of the social engineering attacks coming at all of us. Educating our employees—training them to recognize and to scrutinize the messages coming at them—can and will help us fight the battle brought to us. We need to do it, but I’m skeptical when it comes to expecting improvement and/or positive outcomes. Why? Because changing human behavior is hard AND deploying education to effect that change is complicated. I know. I was a teacher.

What is stopping us from investing more time, more effort, and more money into education?

Could it be because we search for and invest in solutions that don’t require “end users changing their behavior” because we know how hard that is to do? I think the answer is “yes”, and we do this almost intuitively. For all the time and the effort spent talking about other people’s need to change, we know it’s a chimera.

It’s time to consider another path. Confronted with the evidence that getting end users to change their behavior may be harder than changing our own, we need to look to change how we approach the solutions and processes we create and deliver. We need to look at our behavior.

Where else does entrenched behavior get in the way of cybersecurity hardening?

Successful social engineering attacks lead to many breach forms, including credential stealing and attacks that allow malware into our systems, malware that may hide before activating, may even move about in our systems before running; but eventually running and doing harm.

However, rather than simply note the “behavioral challenge” presented by social engineering attacks, I want to point out the behavioral challenge confronting the CISA guidance aimed at mitigating ransomware activity – the guidance Mr. Grimes also weighed in on.

First, let’s revisit the CISA guidance.

Actions to take today to mitigate ransomware activity:

1. Secure RDP ports to prevent threat actors from abusing and leveraging RDP tools,
2. Prioritize remediating known exploited vulnerabilities (patching), and
3. Implement EDR solutions to disrupt threat actor memory allocation techniques (memory protection)

The above tactics are well-known to all of us and many tools have been built, bought, and deployed to tackle the problem in each area. Yet, attacks continue to succeed at an indefensible rate. Why?

Human behavior—We struggle to find, deploy, and maintain protective solutions, including vulnerability patching and memory protection, because we don’t adequately address “human resistance” to change—both doing new things and continuing to do old things, even when they aren’t working. I wish the guidance showed an understanding of what solutions must do/offer to overcome entrenched behavior. But that wasn’t CISA’s role, so let me try here.

The guidance I wish we gave each other—We need to consider both what “we are doing” and what “we should do”, to include an emphasis on solutions that can be:

1. Deployed at reasonable cost and effort, without degrading application/system performance,
2. Maintained and run without inordinate attention or manipulation, and
3. Allow for virtual patching to be done seamlessly, or nearly so.

Why is the above so important? Because people will not accept significant performance degradation to improve security (under performance elicits immediate complaints). Nor will they take the time and make the effort to manage security solutions, or any solutions, when their day is already full. And, most importantly, developers won’t deliver improved security solutions unless and until the market demands them.

We spend a lot of time trying to understand and to explain the vast cybersecurity landscape and all the solutions, processes, and tools needed to defend from bad actors. This is a complicated subject. The challenges are great. But if we are to succeed in our efforts we must account for peoples’ behaviors and their perceptions. We must ensure the strategies, tactics, and solutions we deploy do three fundamental things:

1. Stop malware from running. We will never stop all of it from entering our digital environments, but we can stop it from running. Unfortunately, the cybersecurity industry’s leaders have stopped trying and moved to remediation instead.
2. Make virtual patching and whitelisting nearly seamless. Patching and whitelisting solutions today are too manual, cumbersome, or performance degrading. We can do better.
3. Deliver solutions that are easy to deploy and run. If we don’t, people will not use them, or use them fully. And incomplete deployments, including lack of “updating” leads to insecure systems.

So, let’s start anew to include human behavior in our security plans and purchases. Let’s build solutions and processes that people will respond to and will use. Let’s find out what works, and why, and do it. Let’s stop “checking the boxes” on our to-do lists and start looking for better solutions – solutions people will use.

Funny thing, it turns out, end users aren’t the only ones who need more education.