Human Firewall Simulator for Enhancing Security Awareness against Business Email Compromise

Journal of Global Humanities and Social Sciences

2737-5374 2737-5382

BONI FUTURE DIGITAL PUBLISHING CO.,LIMITED

https://ojs.bonfuturepress.com/index.php/GHSS/article/view/1680 5 7 2024

2024-07-16

Human Firewall Simulator for Enhancing Security Awareness against Business Email Compromise Daniel Onyango Okumu,Richard Otieno Omollo,George Raburu Chief executive officers (CEOs) can turn out to be the weakest link to an organization’s security and attackers know that if they successfully exploit or impersonate someone who has a high level of access like CEOs or chief finance officers (CFOs), they instantly gain great advantage. The problem comes when attacker manages to take control of email accounts of the CEOs and CFOs and sends an email to another staff in the organization, he/she is likely to take it seriously, act accordingly and quickly as possible, and may be wire cash to an account directed by the “CEO/CFO,” and/or get away with private or sensitive corporate information. Because of the nature of these attack methods, detection and protection are very difficult since the attackers take advantage of the human weakness which is the weakest link. The main aim of this study is to provide a solution to protect every surface of the organization. By developing a human firewall, working with the already existing technical solutions offers the solution to remaining problem of human weakness. This research developed a simulator to train the users with the latest trends the attackers are using making them do it right (flagging, reporting, not clicking suspicions links) and making email security part of their responsibility. This makes employee become human firewall. The results from the simulator are displayed in charts as number of employees who passed the test, number of employees who will click on the malicious links, number of employees who will download the dangerous attachments, number of employees who will reply to phishing emails, average awareness of the organization, and how individual employees performed. While organizations have made progress over the years, security is a never-ending process that requires improvement day by day. Since no one in the organization’s structure is immune including the top most in the cadre (i.e., CEO), complexity in understanding and awareness creation is more wanting than before. Integrating human firewall into existing security measures as the last line of defense in email communication against business email compromise frauds offers this solution because it has preventive as well as reactive measures both geared toward maximizing email security. A simulation of the attacks to analyze the user involvement to breaching the security followed by an evaluation simulation after integrating human firewall to the organization’s email security shows success level. The results from the test show the different success levels, that is, results from pre-assessment definitely show low success level since staff/employees have not been made aware/trained to profile or flag compared to when the employees/staff have gone through the training/awareness. Post-assessment indicates high success level because actions from employees turned into human firewall know how to take proper action, for example, flagging, not clicking malicious links. The organization should update its policies to accommodate and reinforce rules on the employees to ensure that the tool is used regularly and actions taken on user deemed a threat to the organizational email security. human link,impersonation,intercept,business email compromise (BEC),email security,human firewall

10.61360/BoniGHSS242016800708

[1] Abbasi, D. F. (2018). Advanced deception with BEC fraud attacks. Retrieved from https://www.trustwave.com:https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/advanceddeception-with-bec-fraud-attacks/ [2] Akamai. (2017). State of the internet report. Retrieved from https://www.akamai.com/our-thinking/the-state-of-the-internet [3] APWG. (2014). Phishing activity trends report. Retrieved from https://apwg.org/trendsreports/ [4] Berninger, A. (2018). Security intelligence. Retrieved from https://securityintelligence.com/ibm-x-force-iris-uncovers-active-businessemail-compromise-campaign-targeting-fortune-500-companies/ [5] Brook, C. (2020). What does a data breach cost in 2020? Retrieved from https://digitalguardian.com/blog/what-does-data-breachcost-2020 [6] Cialdini, R. B. (2007). Influence: The psychology of persuasion (Vol. 55, p. 339). New York: Collins. [7] Cisco. (2010). Email security deployment guide. Retrieved from https://www.cisco.com/c/dam/global/en_ca/solutions/strategy/docs/sbaBN_email_secDG.pdf [8] Cisco. (2021). Cisco secure email. Retrieved from: https://www.cisco.com/site/uk/en/products/security/secure-email/index.html [9] CISOMAG. (2019). Insider sold 68K customer records to scammers: Trend micro. Retrieved from https://cisomag.eccouncil.org/insider-sold-68k-customer-records-to-scammers-trend-micro/ [10] Clearswift. (2021). Clearswift secure email gateway. Retrieved from: https://www.clearswift.com/?code=cmp-0000011446&ls=71771 001&gad=1&gclid=Cj0KCQjwsIejBhDOARIsANYqkD1WRl gpvNJUjePooIqeTQ5QPk-RJxw0xsMx7pdO8EWYFkVMd3tCAAaAt40EALw_wcB [11] Cloudmark. (2016). The top 5 CEO email wire fraud attacks: Rising in frequency, increasing in financial losses. Retrieved from https://blog.cloudmark.com:https://blog.cloudmark.com/2016/04/14/the-top-5-email-wire-fraud-email-attacks-rising-infrequency-increasing-in-financial-losses/ [12] Col ´on, M. (2014). “Human error” contributes to nearly all cyber incidents, study finds. Cybersecurity Source, 1–2. [13] Comtech. (2017). Comtech-networking. Retrieved from http://www.comtech-networking.com/blog/item/274-the-human-firewall [14] ENISA. (2021). The European union agency for cybersecurity. Retrieved from https://www.enisa.europa.eu/publications/enisathreat-landscape-2021 [15] Federal Bureau of Investigation. (2016). Business e-mail compromise: The 3.1 billion dollar scam. Retrievd from https://www.ic3.gov/Media/Y2016/PSA160614 [16] Frumento, E. (2018). Social engineering: an IT security problem doomed to get worse. Retrieved from https://medium.com: https://medium.com/our-insights/social-engineering-an-itsecurity-problem-doomed-to-get-worst-c9429ccf3330 [17] Gatner. (2017). Human firewall. Retrieved from https://www.humanfirewall.io:https://www.humanfirewall.io/howit.php# howitwork [18] Getthreatready. (2017). Email and the human firewall. Retrieved from https://www.getthreatready.com:https://www.getthreatready.com/email-human-firewall/ [19] Guntrip, M. (2020). Ensuring that your users are the solid line of defense against cyber threats. Retrieved from https://www.brighttalk.com/webcast/13513/382659?player-preauth=VicWfpBwC3YUmgImm%2FhjBP4RONz%2B04I%2B8Yq9%2BKuh RlA%3D&utm_source=brighttalk-recommend&utm_campaign=network_weekly_email&utm_medium=email&utm_content= collab&utm_term=092020 [20] Hernedy, R. (2016). Threats 101. Retrieved from https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital threats/business-email-compromise-bec-schemes [21] Hong, J. (2012). The state of phishing attacks. Communications of the ACM, 55(1), 74–81. https://dl.acm.org/doi/10.1145/2063176.2063197 [22] Johnson, S. (2014). Social engineering attacks: is security focused on the wrong problem? Retrieved from https://searchsecurity. techtarget.com/feature/Social-engineering-attacks-Is-securityfocused-on-the-wrong-problem [23] Kaplan, D. (2018). Here is an email thread of an actual CEO fraud attack. Retrieved from https://www.trustwave.com:https:// www.trustwave.com/en-us/resources/blogs/trustwave-blog/here-is-an-email-thread-of-an-actual-ceo-fraud-attack/ [24] Kevin, D. Mitnick, W. L. (2002). The art of Deception. Indianapolis:Wiley. [25] LaMorte, W. W. (2019). The social cognitive theory. Retrieved from https://sphweb.bumc.bu.edu/otlt/mph-modules/sb/behavioral changetheories/BehavioralChangeTheories5.html [26] Leedy, P. D., & Ormrod, J. E. (2005). Practical research (Vol. 108P. 39). Saddle River, NJ, USA: Pearson Custom. [27] LeClaire, J. (2006). Holiday scammers’ e-greeting card tactics. Retrieved from https://www.ecommercetimes.com/story/53889.html [28] Lekati, C. (2020). Creating a “human firewall” for it security. Retrieved from https://www.dotmagazine.online/issues/securingthe-future/human-firewall-for-it-security [29] McGee, M. K. (2017). A new in-depth analysis of anthem breach. Retrieved from https://www.bankinfosecurity.com/new-indepth-analysis-anthem-breach-a-9627 [30] McLaughlin, A. (2019). Cyber security is not a department: building an information security culture. Retrieved from https://www.brighttalk.com/webcast:https://www.brighttalk.com/webcast/288/377659?utm_campaign=knowledge-feed&utm_source=brighttalk-portal&utm_medium=web [31] Mimecast. (2015). Three ways to improve the “human firewall” and strengthen email security. Retrieved from https://www.mimecast.com:https://www.mimecast.com/blog/2015/08/threeways-to-improve-the-human-firewall-and-strengthen-emailsecurity/ [32] Nguyen, D. (2015). 5 ways hackers are stealing passwords. Retrieved from https://hypersecu.com/blog/91-5-ways-hackers-arestealing-passwords [33] Orlando, S. (2018). The “human firewall”: a more proactive approach to infosec. Retrieved from https://www.scmagazine. com/news/incident-response/the-human-firewall-a-more-proactive approach-to-infosec [34] Paganini, P. (2013). Two-factor authentication for SMBs. Retrieved from http://securityaffairs.co/wordpress/15786/security/two factor-authentication-for-smbs.html [35] Porter, J. (2016). The CEO’s Guide to Navigating the Threat Landscape. mexico: AT&T Cybersecurity Insights Volume 4. Retrieved from https://www.business.att.com. [36] Proteck. (2017). What is a human firewall? Retrieved from https://proteksupport.com/what-is-a-human-firewall/ [37] Sabi. (2019). Scammers’ “wire-wire” trick exposed. Retrieved from www.sabinews.com:https://www.sabinews.com/scammers-wire wire-trick-exposed/ [38] Sadler, T. (2021). Human layer security: The ultimate guide to human layer security. Retrieved from www.tessian.com: https://www.tessian.com/blog/what-is-human-layer-security/ [39] Samani, R. A. (2015). Hacking the human operating system: The role of social. Retrieved from http://www.mcafee.com/au/resources/reports/rp-hackinghuman-os.pdf [40] Schablik, P., et al. (2017). Threat Ready resources. Retrieved from www.getthreatready.com:https://www.getthreatready.com/threekey-elements-building-effective-human-firewall/ [41] Shaikh, A. N., Shabut, A. M., & Hossain, M. (2016). A literature review on phishing crime, prevention review and investigation of gaps. China: IEEE. [42] Sjouwerman, S. (2017). Security awareness training blog. Retrieved from https://blog.knowbe4.com/7-urgent-reasons-for-creatinga-human-firewall [43] Smith, M. (2015). 25 most commonly used and worst passwords of 2014. Retrieved from https://www.csoonline.com/article/ 2872085/25-most-commonly-used-and-worst-passwords-of-2014.html [44] Sussman, B. (2019). Business email compromise losses jump 100%. Retrieved from https://www.secureworld.io/industry-news/ new-business-email-compromise-statistics-bec [45] Tim, S. (2021). Human layer security. Retrieved from https://www.tessian.com/blog/what-is-human-layer-security/ [46] Tschabitscher. (2018). How to protect your password from getting stolen. Retrieved from https://www.lifewire.com/stealing-a-password-1164408 [47] Winder, D. (2018). Social engineering: the biggest security risk to your business. Retrieved from https://www.itpro.co.uk/social-engineering/30017/social-engineering-the-biggestsecurity-risk-to-your-business [48] Yin, R. K. (2003). Designing case studies. Qualitative research methods, p. 111 5(14), 359–386.