Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners by J. Andress and S. Winterfeld.
Cyber warfare is real. That’s why each Friday I will post a review on this book: Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners, and today I am sharing what I am reading in…
Chapter 7: Psychological Weapons.
Psychological weapons are another tool used in cyber warfare. It is designed to leverage the frailties of people (often refered to as “wetware” by hackers) to ultimately gain access into computers, networks or infrastructure. While the military may call it PSY OPS, law enforcement uses the term “con artists” and cyber attackers call it “social engineering” it is all the same thing: the use of psychology to manipulate an individual’s beliefs, frailties and motivations in such a way as to knowingly or unknowingly convey valuable information. The authors again do a great job of comparing military operations with civilian ones, I am only going to focus on those that are pertinent to businesses.
Social Engineering (SE) relies on personal contact with the intended victim by ways of meetings, phone calls, emails, websites, social networks and any other method of interaction that the intended “mark” will trust. Who the attacker picks as their victim is subdivided into two classifications: General and Targeted. For general targets the attacker throws out a wide net of enticements to snag any unsuspecting victim. Some of the common attacks include phishing, pharming, whaling, spear phishing, spam, robocalls, surveys, maintenance calls, infected banners, etc. Once the cyber attacker gets enough information they are ready to attack the system using the logical and/or physical weapons discussed in earlier posts. The cyber warfare attack might consists of the insertion of a virus, worm, keyloggers, spyware or some other malware hidden in a Word doc, PDF, photograph, video, game, free app, etc. So be careful of those cute photos of puppies and baby animals that a friend emails you because you don’t know what might be hidden. The point here is that technical and/or physical weapons are then deployed to attack a computer system, but in order to gain access is to first prey on an individual’s frailties.
Cyber warfare targeted attacks are more nefarious because someone is after a specific individual or group. These attacks are also more time-consuming because the attacker needs to first research their intended victim to discover specific vulnerabilities. The research can take the form of physical or electronic techniques. Physical techniques can include dumpster diving, desk sniffing, over the shoulder surfing, video cameras, or serviceman impersonation. Ironically, in today’s world of mobile devices, social networks and the cloud many attackers don’t need to go through that hassle of physical eavesdropping or put themselves at risk of being identified. Would be victims are all too willing to broadcasted their biases, likes, prejudices, hobbies, associations, personal information etc. on Facebook, MySpace, Google +, LinkedIn, Monster.Com, Twitter and a thousand other sources. Another resources is that many people don’t properly secure sensitive documents on servers that Google can index. Whether it’s naiveté, ignorance or plain stupidity people have to start thinking with security in mind if they even hope to avoid becoming a victim.
When hackers target the psychology of people’s lack of security awareness they may use tools like Google Hacking Diggity which is designed to search Google’s Indexes. When I asked the creator of the Diggity software if he was concerned that it would be used by cyber warfare attackers, his answer was that serious attackers have already developed their own tools and they are more powerful than his. This may be true but these types of tools now give less sophisticated “script kiddies” a way to advance their skills. Once the attacker has the background information they then can deploy different techniques to extract information. From the least to most aggressive the techniques include: Observe, conversational, interview, interrogation, blackmail [my addition], and torture. So how can a business safeguard their employees from these methods?
The authors references the way the military trains and structures their soldiers and operations for counterintelligence by relying on confidentiality and security. Many of the same techniques are also applicable to protect against social engineering and cyber warfare. The main techniques includes, but not limited to:
- Data classification
- Employee security clearance levels
- Process and regulations
- Training so everyone understands how a compromise impacts
At a recent security convention a single theme was often repeated, “The are two classifications of companies: Those that know they have been hacked and those that don’t know yet.” Remember also that nothing is ever lost once it is on the internet and Google never forgets. One of the first tests of one’s vulnerability is by simply typing in your own name and see how long it takes to discover your full name, address, phone number, place of employment, interests, relationships, photos, schools, etc. In the 90’s so many companies required every employee to go through, and rightfully so, sensitivity training. Now the time has come to inject security training. While attackers are not going away as long as there is valuable information to get, the best defenses are: education, encryption, data classifications, employee security levels and policies. We all don’t have to run our companies like military defense contractors but rather take some of their tools and policies and adapt them to the commercial industry.