“Curiosity killed the cat” is an age-old proverb that warns of the unnecessary risks of poking one’s nose where it doesn’t belong.
Curiosity is increasingly exploited by cyber criminals, says Matthew Kuan, Fortinet’s Southeast Asia & Hong Kong Director of Marketing. “It has been recognised that humans are one of the weakest, if not the weakest, link in any organisation’s cyber security posture.”
GovInsider spoke to Kuan to find out more about the dangers of social engineering threats and how organisations can guard against them.
Exploiting human curiosity
Social engineering is a non-technical tactic that takes advantage of personality traits such as curiosity and goodwill to gain access to confidential information or spread malware.
Phishing is a social engineering tactic that has been widely used during Covid-19, says Kuan. Hackers have masqueraded as Ukraine’s Centre for Public Health, and impersonated the WHO trademark to lure people into clicking on links or opening malicious documents.
Email is a top attack vector, and organisations must upgrade email security. Fortinet email analytics found that 1 in 3,000 messages still contain malware, some of which contain previously unknown malware that easily bypass email security.
Baiting is another tactic where hackers intentionally leave behind a malware-infected thumb drive or CD in a place where it is likely to be pick up and by an unsuspecting victim, he says. “Social engineering is not restricted to electronic means of extracting or stealing information. It can be very physical.”
Advancing cyber attacks
Hackers are also advancing their techniques, says Kuan. “As much as we are using AI and machine learning to bolster our cybersecurity posture, the criminals are using the very same tools to maximise their attack success rate.”
Attackers are using polymorphic threats, which have built-in machine learning capabilities that evolve the malware in order to evade detection, he says. AI also enables hackers to intelligently select and target the weakest link in the organisation.
“When hackers couple social engineering with sophisticated technologies, it becomes a very, very powerful threat. Many organisations don’t even realise what they’re actually dealing with,” Kuan says.
People, process, technology
Kuan suggests tackling these threats from three areas: people, process, and technology.
First, organisations should start by conducting cyber audits to find out who the weak links are.
This is not to deliberately shame anyone, says Kuan, but to identify employees who may need more cybersecurity training.
To tackle the ‘process’ aspect, Kuan suggests that organisations look at what procedures can be automated. “Where humans fail, the machine would actually be able to cover those gaps.”
Automation will enhance the detection and mitigation of cyber threats, he says. In the event of a breach, the system can automatically notify the security department and quarantine the software or system in a sandbox. That would allow analysts to investigate the malware and its origins without exposing the rest of the organisation’s systems, Kuan adds.
Lastly, robust security technology is required to guard against cyber breaches, says Kuan. Organisations should ensure the different solutions operate and communicate with each other seamlessly. When threat information is shared instantly across the security network, the system should be capable of rapidly deploying security protocols to prevent the attack and to mitigate the suspicious activity.”
Fortinet’s security fabric integrates existing and new cybersecurity solutions into a cohesive security unit that works together to prevent, detect and mitigate threats. When one part of the security fabric detects a threat, it automatically notifies the other security solutions within the fabric to take the required actions to protect against the threats from entering the system.
Curiosity is an innate personality, trait that should be cherished. But as the cyber battlefield grows increasingly intense, precautions must be in place to stop this trait from being exploited by hackers.