{"id":2120,"date":"2019-12-12T19:50:46","date_gmt":"2019-12-12T18:50:46","guid":{"rendered":"https:\/\/www.codemotion.com\/magazine\/uncategorized\/cybersecurity-is-as-much-about-social-engineering-as-bugs\/"},"modified":"2019-12-13T12:50:17","modified_gmt":"2019-12-13T11:50:17","slug":"cybersecurity-is-as-much-about-social-engineering-as-bugs","status":"publish","type":"post","link":"https:\/\/www.codemotion.com\/magazine\/uncategorized\/cybersecurity-is-as-much-about-social-engineering-as-bugs\/","title":{"rendered":"Cybersecurity is as much about social engineering as bugs"},"content":{"rendered":"

Not a day passes without news of cybersecurity – a ransomware attack, data theft, DDos attack, a research identified vulnerability, \u00a0or serious hardware flaw. At this year's Codemotion Amsterdam,<\/a>\u00a0Eward Driehuis<\/a>, (former research chief at SecureLink and SVP Strategy at Cybersprint) , took us on a hugely entertaining<\/em> journey through the cyber threat landscape of the last few years including the responsibility of devs, and why social engineering matters.\u00a0<\/p>\n

He explained his role:<\/p>\n

"I research threats in\u00a0a company that actually watches over a\u00a0lot of European companies right so we are like the watch guards we look over\u00a0their shoulders everything that happens,\u00a0and whenever we see something happening\u00a0that's out of the ordinary, we're gonna\u00a0either kick the bad guys out or\u00a0we're gonna do something else to make\u00a0sure that this company isn't compromised."<\/p>\n

A short history of cyber crime:\u00a0Banking is an early target but also a saviour<\/strong><\/h2>\n

From 2006 2010 fraud was a fairly old school: "manipulating the post fields in HTTP requests: if you post a transaction to the server you can just adjust the beneficiary accounts. This is not about bugs, but "the laziness of the banking customers who will click that link or you're just plain phishing them, \u00a0you're calling them up and saying 'yeah, we're at the bank and we need to double check a code'.<\/p>\n

Eward asserts that "the only reason why the banks started cybersecurity as an industry is that they were closing down brick-and-mortar offices by the numbers and replacing them all for online channels so they wanted to maintain the confidence in these online channels.\u00a0The banks weren\u2019t being hacked, it was the customers."\u00a0<\/p>\n

Enter the nation-states\u00a0<\/h2>\n

Eward discussed the notorious NotPetya and Wannacry attacks of 2015 noting \u00a0<\/p>\n

"What many people missed about these two attacks is that not one single victim of both attacks that ever paid the ransom to the criminals got their files back, so maybe they weren't criminals…"<\/p><\/blockquote>\n

He noted that it was only recently that the security sector attributed WannaCry to North Korean and Russia as the origins of NotPetya. Given the lack of payments, he suggested they leveraged the attacks for destructive purposes rather than financial remuneration and as an opportunity for flexing muscle as to their abilities to cause havoc. <\/p>\n

Social engineering requires zero bugs<\/strong><\/h2>\n
\"cybercriminals<\/picture>
Cybercriminals and spies use social engineering for easy access even in Europe's holiday months<\/strong><\/figcaption><\/figure>\n

Bugs are not the cause of cybercrime, humans are: "\u00a0You just need to convince someone to do something stupid." Eward detail the power of lateral movement where state-sponsored espionage groups create specific malware not recognized by endpoint security meaning :<\/p>\n

"You have now a foothold in a company network \u00a0and then you're gonna look for intellectual property such as marketing plans and big database that can be stolen and leveraged for economic gain."<\/p><\/blockquote>\n

Other findings\u00a0<\/strong><\/h2>\n
\"small<\/picture>
Small organisations are easy targets <\/strong><\/figcaption><\/figure>\n
    \n
  • Small companies (under 1000 employees) are hit 6 times harder than large organisations, and that\u00a0cybercriminals preference cryptojacking over ransomware by a factor of 2 <\/li>\n
  • Veteran criminals such can wreak havoc breaking into a company's invoice template <\/li>\n
  • A legion of Gentleman spies are growing who "Don't target their target, they target someone else: \u00a0their suppliers, an IT provider, or a service provider\u00a0who they target through their VPNs…"<\/li>\n
  • Stupidity is to blame for PWNing.\u00a0<\/li>\n<\/ul>\n

    Ultimately Eward believes that:<\/p>\n

    "In maybe 10, 20 years we will be more secure than ever, but in the meantime, the system is weak and full of errors and\u00a0of\u00a0all of the attacks that we're looking at,\u00a0I would say 99% attacked the system rather than the software and that's the problem." It looks like social engineering will remain a persist challenge to the efforts of cybersecurity professionals as well as those building platforms and programs. <\/p>\n

    \n
    \n