Bright Stove

Reflecting information risk journey

When our guard is down

leave a comment »

We don’t normally feel the reality of a criminal attack on the Internet (or so called Cybercrime attack in the Cyberspace these days) until someone we know, especially when a friend, or a relative actually became a victim to such an incident. If we see an accident on the road, we actually see it. Our emotional status changes at that point, and we are likely to become more cautious for at least momentarily, and this heightened state of vigilance will likely stay with us for a short period until the image of the accident has been put behind us. Then nothing happens, and we will let our guard down. Life goes on.

The visibility of risk in the online world (aka Cyberspace) is so opaque that even after learning about an incident that is still ongoing, we go online, everything in front of us (in our own cyber landscape) still looks normal. The scene of incident is not just virtual, but changes dynamically. If the victim is an end user, the affected end device is likely her home computer, tablet, or smartphone, which doesn’t even have a web front, and there’s no network logs available to analyze like what organizations have in most cases. Unless we are physically at the same location as the victim, we have to imagine how the scene looks like. It is not as observable. So our guard will remain down.

One common thing about Cybersecurity incidents is that when we hear or read about it, it is likely that it has already happened before. Otherwise, we may not even find out, especially as an end user. By performing a search online using keywords related to the problem, and as a third person, we will then learn about the danger that we have been so lucky not being exposed, or perhaps not known to have been exposed, but now able to learn how to find out if we are truly lucky, or just being ignorant. I guess that’s one of the benefits of having the Internet.

An old friend called last night. A few hours before, he received a call from someone who claimed to be from Microsoft technical support, who informed him that his machine has been found inflected with a malware, and volunteered to help him solve it. But before they could help him, he has to renew his technical support contract, which costs S$399 to do so. Driven by fear of the unknown malware, and the urgency of the caller’s tone, he complied with the caller’s advice, and proceeded to make the payment online. He then allowed the caller to take over control of his machine remotely, who started installing stuff into it. After the person hang up the phone, while the remote installation continued, he then started to think about what just happened and decided to call me to check if Microsoft will do such a thing. Unfortunately, he had just fallen into a tech support scam 😦 and Microsoft have published quite substantively about the scam at: https://www.microsoft.com/security/online-privacy/avoid-phone-scams.aspx.

As I reflect on this incident, a question emerges on what if I receive such a call myself? Would there be a chance that I get scammed as well? I think there is always a possibility, since I’m also a human being, and can be reacting emotionally or impulsively, depending on how the caller manages the conversation. Furthermore, even as an information security worker, it is impossible for me to know every single possible ways the scammer works. Today they may use tech support, tomorrow another service, and the next day something else that can get me to respond to the way they want it. There are just too many ways to break something or someone, and often not too difficult to do. Social engineering is already a matured craft by itself. Robert B Cialdini has shown in his book “Influence“, so as Kevin D Mitnick in “The Art of Deception“.

When asked about how to stay safe online, the short answer is often “be vigilant.” Unfortunately, it is impossible to be vigilant all the time. It will be highly stressful, and the effects on our health may even be worst that suffering from an online scam. In reality, our guard is often down. We react to situation as it develops. What’s worst is that we also have a tendency to develop and use automation in our brain to take short cuts and react quickly. The default mode is often to react automatically, which is a survival instinct, especially when triggered under pressure, as what Robert B Cialdini has discovered in his research and experience described in “Influence“.

In the organizational context, readiness drills and exercises can help to heighten users’ awareness and build technical infrastructure, and enhance individuals’ competencies to enable faster detection and better responses to security attacks. For example, read my earlier blog on “Responsive Security in Action” in my blog series on Responsive Security. Many organizations have started doing this in the past few years. The security industry (for enterprise market in particular), in general, has been developing more products and services in recent years to facilitate higher security readiness as well. But for consumers at large, people who are not working for big organizations, how to get them to be ready to be safe and secure? I think this is a much more challenging area. Over the years, I have thought about a few ideas, but these are just snippets of tactics, not a complete solution.

For example, can there be virtual security signposts and posters (in the form of warning/alerts, or “watchful eyes“, instead of just advertisements) in the online environment where we browse and roam around regularly? How should the web architecture on the Internet evolve to facilitate security needs? Who should own the outcomes, which dictates the contents, and the delivery?

Who should plan, organize, and fund Cyber readiness drills/exercises activities for citizens who are online as well? How to tell if a drill is real or yet another scam? There is no simple answer to these questions, unfortunately.

What I’ve also realized through a number of incidents involving friends thus far is that money is a common denominator. That’s what most scammers are after (unless you are someone who has more to offer than money). If someone asks for money to be transferred, stop, take a deep breath, and think about it again – must I make this payment, and must it be now? This approach is similar to what Cialdini advises in “Influence” on how not to be scammed into buying things that we don’t need, i.e., turn off the automated reaction mode. Pause, think, then act. It may not be fool proof, since we are human, taking shortcut is in our DNA. But if we can remember to slow down under stressful or questionable situations, it will very likely halt the incident from progressing to a full blown one. Nevertheless, something not happening is not an observable outcome. Bear in mind that the attacker may also take less aggressive steps initially in order to gain our trust, and collect more information about us and our friends and family before executing her true mission. Question why we should trust this person (especially if he/she is someone we haven’t met previously) before proceeding.

Finally, if you are a Microsoft users, do take note of how to contact their official support: https://www.microsoft.com/en-sg/contact.aspx. Copy the contact information in your address book perhaps so it is always handy. For Apple users, I couldn’t find a local contact number for Apple support, but just their general support site: http://www.apple.com/sg/support/contact/, which could still be useful.

Best wishes and a happy new year!

Advertisements

Written by mengchow

January 6, 2016 at 11:19 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: