Human Firewall Simulator for Enhancing Security Awareness against Business Email Compromise
DOI:
https://doi.org/10.61360/BoniGHSS242016800708Keywords:
human link, impersonation, intercept, business email compromise (BEC), email security, human firewallAbstract
Chief executive officers (CEOs) can turn out to be the weakest link to an organization’s security and attackers know that if they successfully exploit or impersonate someone who has a high level of access like CEOs or chief finance officers (CFOs), they instantly gain great advantage. The problem comes when attacker manages to take control of email accounts of the CEOs and CFOs and sends an email to another staff in the organization, he/she is likely to take it seriously, act accordingly and quickly as possible, and may be wire cash to an account directed by the “CEO/CFO,” and/or get away with private or sensitive corporate information. Because of the nature of these attack methods, detection and protection are very difficult since the attackers take advantage of the human weakness which is the weakest link. The main aim of this study is to provide a solution to protect every surface of the organization. By developing a human firewall, working with the already existing technical solutions offers the solution to remaining problem of human weakness. This research developed a simulator to train the users with the latest trends the attackers are using making them do it right (flagging, reporting, not clicking suspicions links) and making email security part of their responsibility. This makes employee become human firewall. The results from the simulator are displayed in charts as number of employees who passed the test, number of employees who will click on the malicious links, number of employees who will download the dangerous attachments, number of employees who will reply to phishing emails, average awareness of the organization, and how individual employees performed. While organizations have made progress over the years, security is a never-ending process that requires improvement day by day. Since no one in the organization’s structure is immune including the top most in the cadre (i.e., CEO), complexity in understanding and awareness creation is more wanting than before. Integrating human firewall into existing security measures as the last line of defense in email communication against business email compromise frauds offers this solution because it has preventive as well as reactive measures both geared toward maximizing email security. A simulation of the attacks to analyze the user involvement to breaching the security followed by an evaluation simulation after integrating human firewall to the organization’s email security shows success level. The results from the test show the different success levels, that is, results from pre-assessment definitely show low success level since staff/employees have not been made aware/trained to profile or flag compared to when the employees/staff have gone through the training/awareness. Post-assessment indicates high success level because actions from employees turned into human firewall know how to take proper action, for example, flagging, not clicking malicious links. The organization should update its policies to accommodate and reinforce rules on the employees to ensure that the tool is used regularly and actions taken on user deemed a threat to the organizational email security.
References
Abbasi, D. F. (2018). Advanced deception with BEC fraud attacks. Retrieved from https://www.trustwave.com:https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/advanceddeception-with-bec-fraud-attacks/
Akamai. (2017). State of the internet report. Retrieved from https://www.akamai.com/our-thinking/the-state-of-the-internet
APWG. (2014). Phishing activity trends report. Retrieved from https://apwg.org/trendsreports/
Berninger, A. (2018). Security intelligence. Retrieved from https://securityintelligence.com/ibm-x-force-iris-uncovers-active-businessemail-compromise-campaign-targeting-fortune-500-companies/
Brook, C. (2020). What does a data breach cost in 2020? Retrieved from https://digitalguardian.com/blog/what-does-data-breachcost-2020
Cialdini, R. B. (2007). Influence: The psychology of persuasion (Vol. 55, p. 339). New York: Collins.
Cisco. (2010). Email security deployment guide. Retrieved from https://www.cisco.com/c/dam/global/en_ca/solutions/strategy/docs/sbaBN_email_secDG.pdf
Cisco. (2021). Cisco secure email. Retrieved from: https://www.cisco.com/site/uk/en/products/security/secure-email/index.html
CISOMAG. (2019). Insider sold 68K customer records to scammers: Trend micro. Retrieved from https://cisomag.eccouncil.org/insider-sold-68k-customer-records-to-scammers-trend-micro/
Clearswift. (2021). Clearswift secure email gateway. Retrieved from: https://www.clearswift.com/?code=cmp-0000011446&ls=71771
&gad=1&gclid=Cj0KCQjwsIejBhDOARIsANYqkD1WRl gpvNJUjePooIqeTQ5QPk-RJxw0xsMx7pdO8EWYFkVMd3tCAAaAt40EALw_wcB
Cloudmark. (2016). The top 5 CEO email wire fraud attacks: Rising in frequency, increasing in financial losses. Retrieved from
Col ´on, M. (2014). “Human error” contributes to nearly all cyber incidents, study finds. Cybersecurity Source, 1–2.
Comtech. (2017). Comtech-networking. Retrieved from http://www.comtech-networking.com/blog/item/274-the-human-firewall
ENISA. (2021). The European union agency for cybersecurity. Retrieved from https://www.enisa.europa.eu/publications/enisathreat-landscape-2021
Federal Bureau of Investigation. (2016). Business e-mail compromise: The 3.1 billion dollar scam. Retrievd from https://www.ic3.gov/Media/Y2016/PSA160614
Frumento, E. (2018). Social engineering: an IT security problem doomed to get worse. Retrieved from https://medium.com:
Gatner. (2017). Human firewall. Retrieved from https://www.humanfirewall.io:https://www.humanfirewall.io/howit.php# howitwork
Getthreatready. (2017). Email and the human firewall. Retrieved from https://www.getthreatready.com:https://www.getthreatready.com/email-human-firewall/
Guntrip, M. (2020). Ensuring that your users are the solid line of defense against cyber threats. Retrieved from https://www.brighttalk.com/webcast/13513/382659?player-preauth=VicWfpBwC3YUmgImm%2FhjBP4RONz%2B04I%2B8Yq9%2BKuh
RlA%3D&utm_source=brighttalk-recommend&utm_campaign=network_weekly_email&utm_medium=email&utm_content=
collab&utm_term=092020
Hernedy, R. (2016). Threats 101. Retrieved from https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital threats/business-email-compromise-bec-schemes
Hong, J. (2012). The state of phishing attacks. Communications of the ACM, 55(1), 74–81. https://dl.acm.org/doi/10.1145/2063176.2063197
Johnson, S. (2014). Social engineering attacks: is security focused on the wrong problem? Retrieved from https://searchsecurity.
techtarget.com/feature/Social-engineering-attacks-Is-securityfocused-on-the-wrong-problem
Kaplan, D. (2018). Here is an email thread of an actual CEO fraud attack. Retrieved from https://www.trustwave.com:https://
www.trustwave.com/en-us/resources/blogs/trustwave-blog/here-is-an-email-thread-of-an-actual-ceo-fraud-attack/
Kevin, D. Mitnick, W. L. (2002). The art of Deception. Indianapolis:Wiley.
LaMorte, W. W. (2019). The social cognitive theory. Retrieved from https://sphweb.bumc.bu.edu/otlt/mph-modules/sb/behavioral
changetheories/BehavioralChangeTheories5.html
Leedy, P. D., & Ormrod, J. E. (2005). Practical research (Vol. 108P. 39). Saddle River, NJ, USA: Pearson Custom.
LeClaire, J. (2006). Holiday scammers’ e-greeting card tactics. Retrieved from https://www.ecommercetimes.com/story/53889.html
Lekati, C. (2020). Creating a “human firewall” for it security. Retrieved from https://www.dotmagazine.online/issues/securingthe-future/human-firewall-for-it-security
McGee, M. K. (2017). A new in-depth analysis of anthem breach. Retrieved from https://www.bankinfosecurity.com/new-indepth-analysis-anthem-breach-a-9627
McLaughlin, A. (2019). Cyber security is not a department: building an information security culture. Retrieved from https://www.brighttalk.com/webcast:https://www.brighttalk.com/webcast/288/377659?utm_campaign=knowledge-feed&utm_source=brighttalk-portal&utm_medium=web
Mimecast. (2015). Three ways to improve the “human firewall” and strengthen email security. Retrieved from https://www.mimecast.com:https://www.mimecast.com/blog/2015/08/threeways-to-improve-the-human-firewall-and-strengthen-emailsecurity/
Nguyen, D. (2015). 5 ways hackers are stealing passwords. Retrieved from https://hypersecu.com/blog/91-5-ways-hackers-arestealing-passwords
Orlando, S. (2018). The “human firewall”: a more proactive approach to infosec. Retrieved from https://www.scmagazine. com/news/incident-response/the-human-firewall-a-more-proactive approach-to-infosec
Paganini, P. (2013). Two-factor authentication for SMBs. Retrieved from http://securityaffairs.co/wordpress/15786/security/two factor-authentication-for-smbs.html
Porter, J. (2016). The CEO’s Guide to Navigating the Threat Landscape. mexico: AT&T Cybersecurity Insights Volume 4. Retrieved from https://www.business.att.com.
Proteck. (2017). What is a human firewall? Retrieved from https://proteksupport.com/what-is-a-human-firewall/
Sabi. (2019). Scammers’ “wire-wire” trick exposed. Retrieved from www.sabinews.com:https://www.sabinews.com/scammers-wire wire-trick-exposed/
Sadler, T. (2021). Human layer security: The ultimate guide to human layer security. Retrieved from www.tessian.com: https://www.tessian.com/blog/what-is-human-layer-security/
Samani, R. A. (2015). Hacking the human operating system: The role of social. Retrieved from http://www.mcafee.com/au/resources/reports/rp-hackinghuman-os.pdf
Schablik, P., et al. (2017). Threat Ready resources. Retrieved from www.getthreatready.com:https://www.getthreatready.com/threekey-elements-building-effective-human-firewall/
Shaikh, A. N., Shabut, A. M., & Hossain, M. (2016). A literature review on phishing crime, prevention review and investigation of gaps. China: IEEE.
Sjouwerman, S. (2017). Security awareness training blog. Retrieved from https://blog.knowbe4.com/7-urgent-reasons-for-creatinga-human-firewall
Smith, M. (2015). 25 most commonly used and worst passwords of 2014. Retrieved from https://www.csoonline.com/article/
/25-most-commonly-used-and-worst-passwords-of-2014.html
Sussman, B. (2019). Business email compromise losses jump 100%. Retrieved from https://www.secureworld.io/industry-news/
new-business-email-compromise-statistics-bec
Tim, S. (2021). Human layer security. Retrieved from https://www.tessian.com/blog/what-is-human-layer-security/
Tschabitscher. (2018). How to protect your password from getting stolen. Retrieved from https://www.lifewire.com/stealing-a-password-1164408
Winder, D. (2018). Social engineering: the biggest security risk to your business. Retrieved from https://www.itpro.co.uk/social-engineering/30017/social-engineering-the-biggestsecurity-risk-to-your-business
Yin, R. K. (2003). Designing case studies. Qualitative research methods, p. 111 5(14), 359–386.
Published
Issue
Section
License
Copyright (c) 2024 Daniel Onyango Okumu, Richard Otieno Omollo, George Raburu
This work is licensed under a Creative Commons Attribution 4.0 International License.
