Solving the problem of spear phishing attacks lies in better understanding people.
Speaking at the Black Hat conference in Las Vegas, Arun Vishwanath, associate professor at the State University of New York in Buffalo discussed the problem of dealing with people, whether they be in security agencies, government, financial services, or the security industry, as in “a world where technology is thrown at them, the bad guys are really good at the social side”.
He determined that people are easier to compromise and once compromised, those attackers have got the keys to kingdom “and that is the reality I grapple with”.
“The proverbial term is the ‘people problem’, and it is a growing problem that is not going away as 20% of breaches are because of something that someone did,” he said. “The good thing about email is anyone can use it, the bad thing is anyone can use it.”
Vishwanath identified three problematic areas: we try to control what people do with engineering solutions like firewalls; we constrain people with ideas of airgapping and whitelisting and restricting administrative privileges; and we convince people with training on spear phishing. He predicted that the cost of training is expected to rise faster than the cost of breaches, and said that we have to do something to make training better.
“Most organizations are for-profit and training effectiveness is not clear as the statistics do not come out; the time to compromise is going up but it is marginal, and the indicator is the three C’s (constrain, convince, control) are not reducing the discovery gap,” he said.
Pointing at research from the MITRE group, he said that people either ignore an email, or click or “inexplicable”, where they cannot account for their actions, and that is a problem
“It’s not a people problem, it’s an understanding of people problem,” he said. He pointed to his own research on the “SCAM” model, combining ‘Suspicion, Cognition, Automaticity’ and the five factors that identify why people click on attachments, and he identified that all five are people factors. “Cognition is important in finding out how people think, as people use shortcuts and spear phishers know this too,” he said.