Your organisation's human attack surface | BAE Systems | Cyber Security & Intelligence

This website uses cookies. By navigating around this site you consent to cookies being stored on your machine

Your organisation's human attack surface

Product Line Manager
It goes by several names, including CEO Fraud and the evocative term ‘Whaling’. By now every Chief Information Security Officer should have an understanding of what the FBI calls Business Email Compromise (BEC).
Your organisation's human attack surfaceIt goes by several names, including CEO Fraud and the evocative term ‘Whaling’. By now every Chief Information Security Officer should have an understanding of what the FBI calls Business Email Compromise (BEC) where a company’s legitimate email accounts may be compromised through social engineering or computer intrusion techniques to conduct unauthorised transfers of funds. Often, the first response on hearing a story about BEC is: why can’t secure email gateways defend against it?
 
To understand, we need to look at the traditional approaches taken by the security community and how BEC is different.
 
The security industry has always looked for what’s ‘bad’ from a technology standpoint. In the traditional security world, indicators of compromise need to be found to consider an email ‘bad’. Either the email comes from an IP address is on a block list, or an attachment contains malware, or a URL points to a phishing site, or some other data that a machine can interpret as suspicious.
 
Even the more recent approaches to detecting Sandbox-Aware Malware, is narrowly focused on spotting something trying to overcome technological boundaries.
 

The attack surface is human, not technological


BEC is different. The attack surface is human, not technological. And therein lies the fundamental problem. In BEC attacks, there are no attachments to virtually scan, no URLs to re-write. BEC relies on impersonation. It’s Social Engineering, just like the 419 Scam that has been exploiting individuals for decades.
 
As a result, the security industry and organisations alike were caught completely flat-footed between 2015 and 2016 when BEC attacks first started to hit hard. Business email compromise grew into a $3.1 billion problem by the middle of 2016 in the US alone.
 
Security controls tend to see things in black and white. Rules are set to consider a message safe, and deliver it, or judge it ‘bad’ and move it to quarantine. Consequently, email gateways miss out on the grey areas – the emails that look like they come from the CEO’s personal webmail account, for example. These messages are tuned to appear completely innocuous to a machine, while still conning the human being that reads them. 
 
The bad guys will continue to innovate and find new ways of exploiting email, leaving organisations exposed and rendering technology-centric approaches useless. To solve this, we need to stop thinking solely about the technological attack surface and work towards building a more sophisticated security framework that takes into account human fallibility.
top
Craig Elworthy Product Line Manager June 28 2017