Social Engineering: The Next Generation Symantec Report Says User Behavior is Root of Most Breaches

Social engineering was a top concern for organizations across numerous industries and sectors last year. According to Symantec's new Internet Security Threat Report, many organizations have failed to address known security gaps, which have made them vulnerable and susceptible to attacks.

The risk is growing, because social engineers are changing their tactics, says Liam O Murchu, manager of operations at Symantec Security Response.

"They're trying to exploit the weaknesses of the user, instead of the weaknesses of the system," O Murchu says in an interview with BankInfoSecurity's Tracy Kitten [transcript below].

That's made social engineering schemes difficult to prevent. O Murchu says organizations have to address user-intelligence and education, complex areas to improve.

Technology still plays a role, however. "You're more likely to get infected if you have lax security procedures in place," O Murchu says. "A lot of the attacks that we see are because some aspect of security was either overlooked or ignored."

During this interview, O Murchu discusses:

  • How the proliferation of malware toolkits is making hackers' jobs easier;
  • Why employee and customer education is so critical;
  • How mobile is expected to pose increasing threats in 2012 and beyond.

O Murchu is a researcher and manager of Symantec Security Response Operations for North America. He joined Symantec by way of Symantec's acquisition of Brightmail. O Murchu spent hiss early years with Symantec working for the Symantec Security Response team based in Dublin as a reverse engineer analyzing latest threats. He later managed the EMEA Symantec Security Response operations team.

Prior to joining Symantec, O Murchu worked as a security tester and programmer for a startup company.

The Internet Security Report

TRACY KITTEN: This Internet Security Report is an annual analysis of online fraud and security trends Symantec reviews from a wide range of vendors and industries. Can you offer some background about the report, such as the number of years it's been published and how the information is collected?

LIAM O MURCHU: We've been doing the Internet Security Report for about ten years and every year we look at changes that we've seen to the threat landscape. That could be an increase in spam, a decrease in viruses that are being used or an increase in banking Trojans. And it's a general overview of what happened in the last year, and it's useful in comparing to previous years so we can see what's changed.

The way we collect the data is we look at all the different telemetries we have here in Symantec, whether that's the amount of spam we block or the amount of viruses we detect; or an instance that we've investigated; and any type of information we can gather and measure we put into this report. We have a global intelligence network of about 65 million devices around the world that can report information back to us, and we use that for generating this report.

KITTEN: When you look at some of the results that were collected this year, which threats concern you the most and why?

O MURCHU: The very big issue that comes out of the report this year is the fact that most of the attacks are increasing and they're increasing by a lot. We saw that there has been a decrease in certain areas. For example, the amount of spam being sent has decreased. This year, the amount of vulnerabilities has been found to decrease, but that hasn't thwarted the attackers. The attackers are still pushing hard. They're using kits and packs that you can buy in the underground that help facilitate easy attacks and creating easy campaigns, and they're using them to great effect and they're launching more and more attacks using these ready-made kits that they can just point and click at and then they create a campaign.

Malicious Attacks Increasing

KITTEN: One point that I found interesting is that while the number of online vulnerabilities dropped 20 percent from 2010 to 2011, the number of malicious attacks that Symantec tracked jumped 81 percent and you've touched on some of that. But can you explain how we can see such a variance in those two numbers?

O MURCHU: Those are very good points to pick out of the report, and really what we're seeing is the attackers are changing their tactics and they're changing the way they operate. For example, social media and social networks now are playing a large part in attacks and the attackers are using those social networks to launch attacks.

As an example there, say you receive spam that's advertising something and you receive a message from your friend that you think is coming from your friend is also advertising something. They're much more likely to trust the message that comes from their friends, and that's the sort of trust that the attackers are abusing and trying to take advantage of. They have a lot of campaigns where if you're on a social network and you click on something, inadvertently it will spam out messages to all of your friends on that social media network. They'll come from you and maybe they will post to your wall or something like that, and say, "Hey, look at this video." Then you think that your friend has posted it, so you're more likely to click on it. Along with what I mentioned earlier about these exploit packs that they can use to facilitate and campaign easily, they're also using social media and social networks to launch attacks to get people to click on things that perhaps they shouldn't and go to websites that they normally wouldn't visit.

Social-Engineering Schemes

KITTEN: I would like to point out that the 50 page report does offer quite a few details about a number of threats, everything from increases in spear-phishing attacks to hacktivism, but I would like to highlight some of the social engineering schemes that you just touched on and the exploitation of user behavior. Of course, these seem to be the root of most of the threats that we see. Why do so many organizations and industries continue to struggle when it comes to fighting these types of schemes?

O MURCHU: Well you're right. Social engineering has definitely been a focus of the attackers for the past year, and it's definitely growing in its use. We have seen a trend of that over the last couple of years and the reason for that is that it's becoming more and more difficult to attack somebody in an automated way without them having to be involved. In previous years we saw many, many attacks where you didn't need to do social engineering. You could just launch an attack silently without the infected user ever knowing.

Now what we're seeing is it's getting more difficult to launch those types of attacks, so the attackers are changing their tactics and they're trying to exploit the weaknesses of the user instead of the weaknesses of the system. They will send you what you think is a receipt for an airplane ticket, a seat for a lottery that you've won. Some of them are very convincing, targeted attacks. For example, they also rely on social engineering and a targeted attack would be something like they'll get some information about you from online and then they'll send you a specially crafted e-mail with information that maybe you expect to receive, and that's again social engineering.

Sometimes it can be very, very convincing. We've seen examples where people had attended a meeting the previous week and they were expecting to receive meeting minutes and they did receive an e-mail that contained meeting minutes and it was for the right meeting, and it had the correct list of attendees that had attended the meeting, but the e-mail had actually been sent by an attacker. The attacker obviously had some very, very deep knowledge of what the potential victim was doing and what they were expecting to receive. Those sorts of attacks are definitely increasing and the reason they're increasing is because they're effective, and it's very difficult for users to understand what they're meant to click and what they're not meant to click on. What's real and what's not?

KITTEN: When we think about social engineering and the exploitation of user behavior being the root of most of these Internet threats and risks, why are we not doing enough to address those risks?

O MURCHU: Well those risks are very difficult to address. Addressing user intelligence or user education is a very difficult thing. It's not something that we can sell a product for, and so what we do instead is we focus on the technological aspects of it and try to protect. For example, for the last year we've been very focused on targeted attacks and how to detect them and how to look for suspicious activity coming in, analyzing the types of documents that are used in these attacks. That's an area of focus for all security products right now.

At the end of the day, the user is definitely a vulnerable point in the chain and we need to have the technology that can aid them in making better decisions and protect them if they click on something that they're not meant to, trying to have some sort of heuristic information in there. Say, for example, you have a Word document that tries to execute a program. Well normally you wouldn't expect that behavior from a Word document, so let's block that, and that's a lot of technology that we've been putting into our products recently.

Inadequate Security

KITTEN: I want to step back for a moment and look at the report generally. It seems that most of the issues that institutions and organizations are having just relate to the fact that they have lax security precautions and measures. Would you agree?

O MURCHU: That's an aspect in a lot of attacks that we see. [It's] definitely true that you're more likely to get infected if you have lax security procedures in place, and a lot of the attacks that we see are because some aspect of security was either overlooked or ignored. That happens in all sorts of organizations right from the very, very small up to the very largest organizations, and that's really where you need to have your product in place and your strategy in place to protect against oversights.

It's fine to make oversights if you have a back-up plan or just something in place that's going to protect you, and just ignoring the current threat landscape and just hoping that you're not going to get infected is not really going to work. That's why the Internet Security Report is really good for organizations to look at and see, "Okay, these are the types of attacks that other people are being hit with and this is what we need to be looking out for."

Emerging Threats

KITTEN: Looking ahead into 2012, Symantec notes that we can expect to face a number of the same challenges. Can you give us some perspective on what we might expect to see more of this year?

O MURCHU: In the report we noticed that the amount of malware for mobile phones, for smart phones, is increasing. Now we're still seeing a very small amount compared to what we see on other operating systems, but we're definitely seeing a focus by the attackers on smart phones. They're looking to see how they can make money from infecting your smart phone, and we've seen already this year that some groups have figured out how to make money. We analyzed one group who were able to make a $1 million a year just from sending premium text messages from infected phones. That gang was just sending one text message per month from your phone, so it's not like they got on your phone and they started sending 100 messages. They were doing it in a very slow, organized and discrete manner. That's the sort of focus that attackers are placing on smart phones right now. Obviously, $1 million a year is quite a considerable amount, and we can expect to see in the future more attacks on mobile phones.

Outside of that, we've seen an increase in targeted attacks, and not just an increase but a farther distribution or a wider distribution of targeted attacks. Previously we saw the targeted attacks only focused on CEOs or very important people in the company, and they only focused on large companies, say defense contractors or government agencies. Now what we're seeing is that targeted attacks are being sent out to small businesses as well. Fifty percent of the attacks we saw this year, the targeted attacks went to companies with less than 2,500 people and about 20 percent of these targeted attacks were sent to organizations with less than 250 people. We can see that these targeted attacks are really being used very, very broadly and we expect to see that continue in the future as well.

Global Differences

KITTEN: What about unique threats facing different global markets? Are there any significant differences among the threats you've noticed?

O MURCHU: That ties in with what I said about targeted attacks. We have seen targeted attacks and they're going after very specific markets and we've seen them go after oil companies. We've seen them go after car manufacturers. We're starting to see attackers emerge that are looking at very specific markets and that's concerning. For example, we saw attacks on the stock exchange. Some would say companies running the stock exchanges around the world last year, they weren't significant attacks, but it shows that attackers are looking in that area.

KITTEN: What if we stepped back to look at different regions of the world?

O MURCHU: Yes, we do see different attacks based in different parts of the world. For the most part, we see that the attacks are global. They're spread out and they're attacking all sorts of computers worldwide, but we do see some very specific attacks confined to certain locations. A good example was a couple of years ago. We had the Stuxnet attack that was targeting Iran and Duqu which was a follow-up breath that was only targeting Iran. We also see ad-clicking trojans that will only display ads if you're in a specific country. We saw a threat last year that was only showing ads if you lived in the U.K. If you were outside of the U.K., it wasn't affecting you. We saw banking trojans that were only affecting computers in Europe. They weren't interested in American banks. So we do see attackers trying out all sorts of different techniques and focusing on different markets and different locations.

KITTEN: To go back to talk a little bit about some of the differences that you see in the attacks that are waged against certain industries, from the report it seems that healthcare appears to be an industry that's struggling the most. What can you tell us about healthcare and its seeming inability to adequately protect consumer data?

O MURCHU: Yes, we did see a lot of attacks on healthcare and a lot of data breaches from healthcare this year, and we're not quite sure why that is, but I guess that healthcare companies may not be as well protected as, say for example, IT companies. You would expect IT companies maybe to have a better grasp on security and how to protect their products than a healthcare company. That may have contributed to that. It's unclear exactly why we're seeing an increase in healthcare right now.


KITTEN: What advice could you offer about protecting organizations from some of these threats?

O MURCHU: The standard protection procedures, which are to update your software and know what software you have installed; and whatever you have installed make sure it's updated. Get patches from your vendors. Have a security procedure in place. Have a security product installed on your computers and on your network, and really think about what it is that you want to protect and put your resources in place to protect that.

If you're a home user and you want to protect your banking information, then you want to make sure that your computer's updated and patched and that you have security products installed.

If you're a large corporation, obviously you want to have a layered approach to security. You're taking multiple precautions to protect your data, and particularly identifying in your network what it is that's most valuable, for example your intellectual property and having proper access controls to that data, and that would go a long way towards improving the situation.

Around the Network