You are the weakest link

June 1, 2021
How attackers exploit human vulnerability to target organizations
The nature of the threats facing organizations today is as complex as the nature of business itself. But with increasing reliance on digital and remote work, common applications, and a diversified employee base, today’s businesses face an age-old and ever-evolving threat; the threat posed by human vulnerability.

Whether it's a nation-state actor, criminal organizations, hacktivists, activists, or malicious insiders, individual employees and networks are often manipulated to gain access to proprietary information, business intelligence, or goods and services in an effort to steal information, disrupt the business activity or even destroy businesses altogether. RANE’s Executive Director, Safety + Security, Brian W. Lynch, honed in on the human threat to organizations during a recent interview with Peter Warmka, the author of Confessions of a CIA Spy: The Art of Human Hacking. Through their conversation, they aim to identify the motivations and objectives behind attempted breaches by foreign intelligence services, criminal groups, industrial competitors, activists, and other threat actors.

Warmka points out that changes in the information environment and the rise of technology in the workplace have broadened the range of both threat actors and their potential victims. His observations include:

●    “Prior to the digital age,” Warmka says, “not everybody was a target. We had target selection that had to be very, very carefully conducted because not everybody had access to the information. Information was more closely held. Now almost everybody in the organization, employees, as well as contractors, have a lot of access to information that is held somewhere in the company.” This proliferation of information means that nearly everyone within an organization is a potential target, Warmka says.

●     The range of threat actors targeting this information has also expanded, to include criminal groups, nation-state actors, industrial competitors, activist groups, and lone-wolf attackers. These groups may be motivated by financial gain, intelligence gathering, intellectual property theft, or a desire to disrupt business operations.

Warmka notes that threat actors adopt a range of techniques to refine their list of potential targets within an organization before ultimately attempting to recruit those individuals. Here are three key takeaways related to social engineering:

●     Social engineering is one of the most important tools a threat actor can use to manipulate a human target once identified, and Warmka says that these actors often choose to target an individual based on how much information about them is publicly available.

●     Social engineers then use that information to play on what really motivates the individual who has been targeted. That could be money, frustration with the current situation at work, debt, addictions, a simple wish to connect, or even just not recognizing that the corporate information they have might be of value to a threat actor. Factors related to the COVID-19 pandemic, such as financial stress or social isolation, also create opportunities for threat actors to exploit.

●     Using the information, they’ve gathered, threat actors then employ a range of techniques to continue recruiting a potential target, including spear phishing, vishing, face-to-face approaches, and going out to meet targets when they're attending trade shows or conferences. These methods will employ information the attacker has previously gathered to build trust and rapport with the target in order to elicit sensitive information.

While the threat is complex and multifaceted, organizations can protect themselves from human weaknesses.

According to Warmka, the single most effective step companies can take to protect themselves is to build awareness of the threat across the entire organization through training, from the C-suite all the way down to the entry-level employee. Warmka says that, in his experience, training should include all teams across the enterprise, especially as many employees are likely unaware that they may be a target.

●     This training should focus on recognizing who may be a target, identifying signs of a potential social engineering attack, and familiarizing employees with the types of information attackers may be looking for.

●     Building employee buy-in is crucial, Warmka says, and effective security training should go beyond a compliance exercise. He recommends that leadership convey to employees that the information they learn will help protect the organization and apply this new security awareness to their own lives.

●     Firms should also carefully consider what information they choose to publicly share about the organization and its employees. Warmka encourages security professionals to think creatively about the types of information that may seem innocuous to an organization but could be a potential treasure trove for a malicious actor looking to target the business. This includes information such as a building floor plan posted at an event or conference, photos of employees who may be wearing their badges, or information on the CEO’s alma mater published on the website or LinkedIn.

●     Companies should ensure there’s a system in place for employees to report any concerns or potential security incidents, and that this system is simple and easy to use. This enables security professionals within an organization to quickly identify any threats or patterns that could indicate a larger, more complex attack targeting multiple employees.

●     Finally, Warmka argues that while technology can form an important piece of a corporate security program, even the most advanced technological solution cannot fully protect a business from the human factor.

About the Experts:

Peter Warmka is the Founder of The Counterintelligence Institute, where he leverages his time as a Senior Intelligence Officer with the U.S. Central Intelligence Agency (CIA). Warmka aims to help U.S. Government agencies, NGOs, major corporations, and academic institutions understand and protect themselves from the ever-increasing threat of security breaches.

Brian W. Lynch is the Executive Director, Safety & Security for RANE. Hebrings nearly four decades of senior management and executive-level experience in the fields of law enforcement, safety, and security. Previously, Lynch served as Head of Global Security at Vanguard, where he designed and executed the firm’s enterprise-wide Eight Phase Global Security Program as well as a 24x7 global operational model responsible for the identification, analysis, response, and resolution of security incidents. During his tenure in the FBI, Lynch led the Bureau’s efforts in national security investigations by overseeing counterintelligence investigations and intelligence efforts by foreign intelligence services, through tracking and seizing terrorist funds, as well as leading terrorism investigations through the FBI’s Joint Terrorism Task Forces, resulting in the disruption of terror attacks.

ABOUT RANE

RANE (Risk Assistance Network + Exchange) is a networked-based risk intelligence company that connects business leaders to critical risk insights and expertise, enabling risk and security professionals to more efficiently address their most pressing challenges and drive better risk management outcomes. RANE clients receive access to a global network of credentialed risk experts, curated network intelligence, risk news monitoring, in-house analysts and subject matter experts, and collaborative knowledge-sharing events.

About the Author

Brian W. Lynch | Executive Director for Safety & Security at RANE

Brian W. Lynch is the Executive Director for Safety & Security at RANE. Lynch brings nearly four decades of senior management and executive level experience in the fields of law enforcement, safety, and security. Previously, Lynch served as Head of Global Security at Vanguard.  He designed and executed the firm’s enterprise-wide Eight Phase Global Security Program which included the design and execution of the firm’s secure mail operations processes and training, as well as a 24x7 global operational model responsible for the identification, analysis, response, and resolution of security incidents.  Lynch was also a Special Agent with the FBI, serving in investigative and senior executive level positions, over a 22+ year career.