Social Engineering can be Prevented, But not Through User Education
You’ve probably heard of the recent colonial pipeline hack. The colonial pipeline transports almost half of the fuel supplies of the American east coast. It is part of USA’s national critical infrastructure. Pump prices rose shortly after the attack.
Colonial pipeline has to pay the attackers a $5 million ransom after they crippled the pipeline service for five days.
Watch this woman rejoice when the gas started flowing again.
In another recent cyberattack incident, attackers gained access to the Oldsmar (Florida) water plant’s systems. They tried to raise the water’s PH levels which would have made the water toxic. Luckily, the attack was thwarted before its completion. Imagine what would have happened had the attack been successful.
Recently, there has been a surge in cyberattacks on critical infrastructure around the world. Other notable incidents include;
- In October 2020, the power grid of the state of Maharashtra (India) was hit by a cyberattack that resulted in widespread power outage.
- In march 2019, the Post Rock Water District in Ellsworth, Kansas suffered a security breach that threatened the safety of the city’s water supply.
- In 2015, three Ukrainian power distribution companies were attacked, leaving hundreds of thousands of people without power for 6 hours.
For long, people have always associated cyberattack with web services. Most people would never imagine that they wouldn’t be able to fill up their tanks because of a cyberattack. It’s even scary to imagine that you could unknowingly drink toxic water just because of a security breach.
The attacks on critical infrastructure should have everyone really worried. Cyberattacks are now not just affecting what we do online, they are affecting our offline lives as well. A cyberattack could literary cause people physical harm.
This Article on the New Yorker by Ed Caesar reveals how the North Korean regime has built an army of hackers. They attack corporations and government institutions around the world. The conduct ATM heist and cryptocurrency thefts, whose proceeds are used to fund missile programs.
There’s one thing that all these attacks have in common, including those perpetrated by North Korea. They all start with social engineering. That’s where the biggest problem is. There’s no technical cybersecurity solution that can solve the problem of social engineering.
You’ve probably heard of Kevin Mitnick, the world’s most popular hacker. He was once the “World’s Most Wanted Hacker”. He was arrested by the FBI in 1995 and spent 5 years in prison for various hacking-related crimes.
Kevin Mitnick is now a renowned cybersecurity consultant and author. He works with governments, and fortune five hundred companies. These organizations hire him to hack into their systems and expose the security vulnerabilities that might be there.
In most of his speeches and books, Mitnick focuses on demonstrates social engineering tricks. His proposed solutions to social engineering revolve around user education.
Take this video for instance;
This video has 1,625,960 views at the time of this writing, and it is targeted at nontechnical folks. Its message will spread far beyond its viewers.
Mitnick’s demonstration in this video actually represents a form of social engineering. It is some indirect social engineering where perpetrator provides a malware-laden device (inside product packaging etc.) in a way that is designed to avoid suspicions - but never communicates directly with the victim.
Now watch this video.
David Kennedy’s victim in that video is a tech support guy in a big company. He most likely been trained and tested on cybersecurity, yet he gets duped as easily as an average computer user would.
Mitnick may produce some eye opening demos and show his skills as an ethical hacker – but as a source of advice he’s no better than Stu Sjowerman and the other “experts” about being on guard about suspicious links. That does not work.
If the people tasked with preventing cyberattacks can be easily used by attackers to gain access to critical systems, and attackers are now targeting critical infrastructure, everyone should be really concerned.
So, what next? What’s the solution?
The solution is not user education. No one can be too socially intelligent to overcome all social engineering attempts thrown at them.
The solution is measurably reliable digital identities.
How are measurably reliable digital identities achieved?
They start with PKI (Puzzle Kit Infrastructure)
What this video to understand how PKI works.
In PKI, one either makes a puzzle with a public key so that only the owner of the corresponding private key (PEN) can solve it, or one makes a puzzle with a private key (PEN) such that anyone can solve the puzzle with the corresponding certified public key to know that it originated with the owner of the private key or PEN.
But that’s not new? Yes, it is not new. What’s new is what we call PKIDR (PKI Done Right).
Our lead story, “Is the Internet Really Broken?” alludes that the internet, as it is now, is an outdoor public transport system. It recommends the inclusion of indoor spaces or building that will bring along security and privacy.
PKIDR can be said to be adding an indoor layer of pervasive accountability to sit atop the old “information highway” - the outdoor public transport facility known as the internet.
Watch this video.
That indoor layer of pervasive accountability is called Authenticity.
Authenticity is Pervasive Accountability with Privacy.
The description below should give you a better perspective.
AUTHENTICITY is the condition that exists when we have
• Digital Signatures Everywhere backed by…
• …Measurably Reliable Identity Certificates that are…
• …Owned by their Users and which provide…
• …Privacy via Accountable Anonymity.
These are the elements of authenticity.
Authenticity is the solution to social engineering not user education. We’ve established that even the best cybersecurity experts can fall victim to social engineering.
How is Authenticity the Solution?
To answer that question, let’s explore the…
…Elements of Authenticity in a bit if detail
The internet, while being an information highway, is an open space where we keep our files, hold meetings, and let our kids hangout.
Ever since the onset of cybersecurity threats, proposed solutions have always been about determining the character and intention of the sender of a stream of bits. That has never and will never worked, especially against social engineering.
What if there was a way to connect those stream of bits to a real human being in a way that provides privacy, but preserves accountable anonymity. That can be achieved through measurably reliable identity certificates.
Accountable anonymity is already a familiar concept in daily life in the license plates that provide anonymous but accountable identification of cars. The driver or owner of a car remains anonymous on the road unless there is trouble. At that point, legal authorities can unmask the identity of the drive so that they can be held accountable.
In a similar way, users of the information highway (internet) remain anonymous unless legal action is needed for misdeeds. At that, point a court order can be obtained in order to unmask the human being behind the identity certificate that’s responsible the misdeeds.
The other essential element of authenticity is digital signatures. Measurably reliable identity certificates can be used to create digital signatures. The digital signature is a combined footprint of the signer’s identity and the file that is signed.
The digital signature can therefore provide a guarantee that the file is really from the signer and not one bit of it has been changed since it was signed. The reliability of identity certificates; confidence that they actually represent ther claimed owner is a critical element of authenticity.
But how reliable is reliable?
There are realistic ways of measuring the reliability of an identity certificate, hence the name measurably reliable digital identities. We’ve used eight of them to calculate the identity score or confidence level of a particular identity certificate.
The eight metric are;
- Protects personal assets?
- Rigor of enrollment methods
- How secure is the PEN (Private Key)?
- Quality of Assertion
- Quality of certification authority
- Who else knows this person
- How much assumption of liability?
- Track record of this credential
These relate to how the certificate was created, how it has been collaborated, and characteristics of how it is used. The combined score is an identity quality that is publicly disclosed as part of the certificate. Relaying parties can then make their own judgments as to how they choose to interact with this individual.
Watch this video to get a better perspective of the elements of Authenticity.
Remember how David Kennedy dupes the tech support guy to click a malicious link? Through authenticity, the tech support guy could first establish whether the caller is who they say they are. They can use their measurably reliable identity certificates to gauge whether they can be trusted or not.