Cyber-criminals are using social engineering to find victims

It is no secret that cyber-attackers are getting better at what they do.

“They know you, they know Singaporeans. It’s all about social engineering,” said Mr Anthony Lim, director of the Singapore chapter of Cloud Security Alliance, a non-profit organisation that promotes best practices in cybersecurity.

“The email might indicate that it was from your mother. But when was the last time your mother sent you an email? Even if your mother doesn’t use email, you might still click on it just because it’s from her. Or would you bother to call up her up first to verify?” he asked.

Speaking at the Cybersecurity Forum 2017 on current trends in cyber-attacks, Mr Lim recounted how the Istana sent him an email invitation to attend the SG50 National Day reception two years ago. “I phoned up the Istana to find out if the officer who sent me an email was a real person. Turns out she was,” he laughed.

But even that wasn’t enough to satisfy him. “I told them that I am coming to eat the dinner but I am not clicking ‘attending’ on that email. Please tell the President that,” Mr Lim said to laughter from the delegates.

He explained that with social engineering, cyber-criminals are learning to ride on the euphoria and emotions surrounding world events—SG50, the Zika virus outbreak and Pokemon Go, for example, provide prime opportunities for phishing attempts. Everyone thus needs to be more sceptical and pro-active in practicing caution and vigilance, he added.

Fear, uncertainty and doubt

While security vendors may try to tap into fear, uncertainty and doubt (FUD) to sell their products, the problem in some cases is that there is not enough of it. For example, 70 percent of security breaches come from inside organisations themselves, said Mr Lim.

“It is not that 70 percent of the staff are bad. People don’t follow procedures not because they are bad people,” explained Mr Lim. “Employees may find procedures troublesome and a hindrance to their work. But in the process of trying to bypass the procedures, they don’t realise that they are creating an even larger problem while trying to solve the first.”

Mr Lim’s talk was followed by a panel discussion on the cyberthreat landscape. Panelist Mr Stanley Hsu, regional director of security firm Darktrace, shared that what frustrated him most when speaking to customers was a blatant lack of awareness. One customer, for example, said that “it is very hard to sell health insurance to a healthy person”—meaning that he would not invest in security in the absence of a breach.

“I just sat there lost for words, because isn’t that the best time to buy an insurance, when your premiums are the lowest?” said Mr Hsu.

“It seems like the cyber-criminals are on a winning streak, and in a society like Singapore, all of us have a role to play in getting this awareness out, because we are living a very digitised life.”

The ever-changing, unpredictable cybersecurity landscape makes being prepared even more critical. “We often try to define what ‘bad’ is, when there is no static definition because the threats are evolving all the time. ‘Bad’ is also actually just some unknown user who doesn’t know that he cannot do certain things,” said Mr Hsu.

The mature ecosystem of bad guys

Mr Yum Shoen Yih, deputy director of the Cyber Security Agency of Singapore’s (CSA) Critical Information Infrastructure Division, who also spoke on the panel, stressed the need for businesses to adopt security by design.

“Unfortunately, many developers today—both start-ups and mature companies—face a very large pressure to market. They end up focusing on the features and functionalities first, and then try to add in the security components later,” Mr Yum said. “If you do that, chances are you will have problems.”

Earlier in his keynote, Cloud Security Alliance’s Mr Lim had also raised the example of the retail chain Target’s CEO resigning over a data breach to illustrate the importance of having an integrated IT system that includes security.

“Hackers attacked the smart technologies component of their building, and from there, infiltrated the main IT system. The problem was that nobody was aware, because the contractor who installed the wiring for the smart building was different from the one who installed the office network,” Mr Lim explained. “It’s a classic case of the left hand not knowing what the right leg was doing.”

This highlights a shortcoming of the IT industry, said Mr Yum. “The bad guys have a better ecosystem than the good guys. They sell and share information freely. Whoever finds something just puts it up on the dark net, and it becomes a business because there will be people who want to buy it.

“Therefore, if the good guys—meaning the people who are providing the solutions and support systems—don’t work together, they will lose,” he concluded.