Psychological manipulation and deception are just some of the social engineering tactics used in state-sponsored operations.
Even though society prefers to implement measures that would take care of online protection for them completely, it’s still crucial to take the time and research emerging cyber threats. While general cybersecurity awareness rapidly increased over the past few years, our guest today explains, that social engineering attacks are not only becoming more common but also more complex and difficult to identify.
To learn more about the current cyber threat landscape, the Cybernews team interviewed Steve McLaughlin, the founder & director of Core Sentinel – a company providing penetration testing services.
Let’s go back to the beginning of Core Sentinel. What was the journey like since your launch?
It takes a lot of hard work, dedication, and passion to get a business up and running and to what it has become today. It’s been both fun, and rewarding. Starting a business is like doing an MBA, you learn to start to learn doing all the marketing, budgeting, and accounting, and as things start to take off you need to manage your resources by outsourcing a lot of those tasks. But at the end of the day, you are always the best person to do it all. Particularly the marketing. All in all, we’ve refined a lot of what we do and fine-tuned our delivery, so the things we deliver have evolved and adapted from inception, and we’ve become a lot more efficient with things over time.
Can you tell us a little bit about what you do? What makes Core Sentinel stand out?
I’ve been working in cybersecurity pretty much all my life. It’s been something I’ve been interested in since I was a kid. So, it wasn’t hard for me to simply just apply what I loved doing, particularly in the field of penetration testing. And I had worked in so many places where we delivered penetration testing as a professional service as well as interpreted pen test reports for clients. I became so familiar with how it was all delivered, and so when I combined that with my technical ability in pen testing, I knew I could do better than what the competitors were doing and how they were delivering it. So, I just went out and did it. And here we are today.
Besides regular penetration tests, what other safety practices do you think should be a part of every company’s cybersecurity system?
I think people are the weakest link in an organization, and user awareness can always be improved upon. Many attacks these days involve tricking the user into filling in their details or clicking on a link in an email or SMS text message that loads malicious code onto a phone or laptop. These types of social engineering attacks are becoming more and more sophisticated and common, and unsuspecting users can be much easier targets than attacks against infrastructure and applications. Therefore, user awareness training should be a must for every organization because it’s not just technical, it's psychological with the use of deception tactics.
How do you think did the recent global events change the nature of cyberattacks?
It’s a mess out there. Cyber-attacks have always been used as a form of warfare, and we are seeing attacks occur non-stop at all times. And often we hear the attacks are coming from particular countries and we blame them as the source of the attack. Well, this is not always correct. It is much more strategic to simply proxy your attacks through a third-party country to make it look like the attacks originated from them, when in fact the source of the attack was whoever was behind that proxy and potentially in another country.
And as mentioned before, psychological manipulation and deception through social engineering and state-sponsored psychological operations are also on the rise in the current global situation.
We should also expect to see more cyber attacks on our critical infrastructure such as power grids, telecommunications, or other utilities during times of war. An example of this type of attack is how Stuxnet was used to disable the Iranian atomic energy plant. In this case the virus was used to manipulate the centrifugal spin of the atomic cylinders and cause them to overheat. So when we see fires and explosions occur at power grids and other infrastructure during times of war, it is often likely a cyber attack which is the cause rather than say a missile strike.
What vulnerabilities do you notice being exploited most often nowadays?
Still the same old web application vulnerabilities, injection attacks, SQL injection.
But also overflow-type attacks which can be delivered through social engineering attacks.
If people spent more time and resources on the cyber maturity of their product, it would pay itself off exponentially in the long term. It’s much better to be safe than sorry. And a devastating data breach can mean the end for some organizations.
People are often what I consider the weakest link in the cyber kill chain, and they can be a much easier target in an organization that’s technical defenses are armed to the teeth. People do stupid things like clicking on links they shouldn’t and giving away their credentials.
Which industries do you think should take penetration testing more seriously?
I don’t think this is industry-specific, as all industries are a target. However, if we take a risk-based approach and look at the risk of say, a data loss, or an infrastructure outage, this is a good place to start. So, we look at the impact of a cyber-attack in terms of risk. The higher the risk the more seriously industries should take penetration testing. With that said, everything that is online is attacked. Although some organizations might be targeted specifically, opportunistic attacks against anything are always occurring. So, it’s good to expect that it will occur. Another way of looking at it would be that it would be reckless to go live with any infrastructure or application without a prior penetration test to uncover any vulnerabilities that may be exploited.
In your opinion, what type of cyberattacks should the general public be prepared to tackle in the near future?
Social engineering attacks that focus on the deception of the target are getting much more sophisticated and are ever-increasing, which means you can’t trust anything in your email inbox or SMS messages. People need to be alert and actively inspect the emails and links they are clicking on, as well as inspect domain names in the browser's URL bar, letter by letter to ensure they are not being scammed or phished. We also need to be careful about people phoning up and claiming to be from some authority that they are not -- demanding your compliance to their requests such as sending them money to settle a tax debt you don’t have.
Some cyber-attacks are also state-sponsored, which can mean critical infrastructure is targeted by foreign adversaries, but it also means your government uses offensive cyberespionage strategies to combat serious crime, and this appears to be shifting to what they regard as the spreading of “misinformation” which simply refers to information that goes against the government prescribed narrative. It is now legal in Australia with the new Identify and Disrupts Bill for a federal agent to take over your social media account and start using it as if they were you.
What security tools do you think will become crucial to combat such threats?
At the people level – education. I think this is one of the biggest. If people are the weakest link in the exploit chain, then user awareness becomes crucial to identifying the ever-increasing social engineering type attacks.
Penetration testing and secure code reviews are great for securing the technology and should be considered mandatory for anything that goes online.
I also think host-based controls in zero-trust models will become more important as people work from home and not within the confines of a corporate network using the corporate web proxy, and all of the technical defenses & firewalls that are the norm at network boundary points.
And finally, what’s next for Core Sentinel?
It’s a very busy industry right now, and we’re continuing to evolve with the threat landscape and adjust our procedures accordingly. One thing we are looking into which I think is going to change everything for the better is decentralization. Traditionally we have always used centralized systems because that is all there has been. However, now we have secure decentralized systems which can be used. So, we are looking at how to utilize and incorporate decentralization into security generally.
To give you an example, there is no such thing as a trusted intermediary in any transaction. And this is the problem with using centralized third parties such as, for example, Google or Facebook to authenticate. They are only as trustworthy as the people who own them. The solution is to decentralize products like authentication systems, to remove the intermediatory altogether because there’s no such thing as a “trusted intermediatory”. It’s akin to a man-in-the-middle. Take a look at the PRIViLEDGE project for example. And I think it’s time we should add a “D” for decentralization to the Confidentiality, Integrity, Availability (CIA) tried to make it CIAD instead.