The Power of the 8th Layer (Part One)
It’s been quite a while since I’ve blogged here, I do hope you will forgive me. It has been one doozy of a year. Today’s blog series will be a little more personal than normal. It will also possibly be much more useful to you than a technical discourse on blockchain or routers or Internet Security. It’s on human hacking.
The 8th Layer of Security
You will probably recall from previous blogs my discussions about the OSI layers. As a recap, these layers are a logical methodology for us to understand how a computer can communicate with another computer. There are 7 layers (much like a heavenly party dish of bean dip) that start with the Physical Layer One (the sending of binary one’s and zero’s on a wire) and climb all the way up to the Application Layer Seven (where Facebook and email and other interactive computer stuff resides). But there are other, more unofficial layers that have been added to the OSI model. Most notably, I refer to the 8th Layer – the User layer.
from schneier.comThe great security cryptographer and security pioneer Bruce Schneier refers to the 8th Layer as the layer of the Individual Person. It is this human layer that has spawned tech support icons as Nick Burns the Company Computer Guy (an old Saturday Nigh Live skit starring Jimmy Fallon) as well as terms such as PEBCAK (Problem Exists Between Chair And Keyboard) and the infamous ID-Ten-T error (ID10T). And it is the most vulnerable layer of security – the only layer that is practically guaranteed to eventually provide results to the hacker. Any other layer can be protected using any number of security controls – things like software patches, bug fixes, Operating System Hardening, Firewall rules, and DNS Blackholes. But Layer 8 – the user – remains forever vulnerable.
OK, That Seems Kind of a Downer…
My undergrad work was in the field of Social Psychology. And for many years (and numerous student loan payments), I thought I had wasted a great sum of money on a worthless degree. It wasn’t until recently, during my graduate studies on Cybersecurity, that I realized that I was terribly wrong.
Social Psychology – the study of human behavior – is incredibly relevant to the field of Information Technology. There are numerous books dedicated to the study of this intersection of human behavior and computer security – such gems as:
- Unmasking the Social Engineer: The Human Element of Security
- Social Engineering: The Art of Human Hacking
- Ninja Hacking: Unconventional Penetration Testing Tactics and Techniques
- No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing
- Social Engineering Penetration Testing: Executing Social Engineering Pen Tests, Assessments and Defense
- The 48 Laws of Power
- And pretty much anything ever written by Kevin Mitnick… but specifically, The Art of Deception: Controlling the Human Element of Security
These books recognize what the field of Social Psychology has long been aware – that in general, people are hard-wired into predictable responses to certain external stimuli. And because of this, an individual can type a few lines of behavioral code into the human computer, and get a predictable output. That predictable output can then be used for nefarious purposes. Or, to say it a different way, people are hackable.
Photo by Franck V. on UnsplashThe Hackable Human Computer
This is perhaps common sense, drilled into us at our parent’s knee – my childhood was full of warnings such as “stay away from him, he is trouble” or “bad company corrupts good character” or (my personal favorite) “One boy = one boy. Two boys = half a boy.” My Mother (God rest her soul) knew that certain external stimuli would more often than not lead to certain behavior on my part.
In the field of Information Technology, these techniques are being used to great effect to rob people and organizations blind. Companies spend millions of dollars a year on security – from devices such as Layer 7 Next-gen firewalls and SIEMs and web content filters, to security cameras and door locks and man traps… but research indicates that people are still hackable – and this hacking is highly profitable.
The 2018 Verizon Data Breach Investigative Report is a fantastic yearly review of where cyber security has been, and where it is likely headed. Most attacks are financially motivated – this is obvious. The bad guys (usually organized crime groups, featuring hacking) go after the easy money. And most attacks involve some form of social engineering to get access to your information – your passwords, your identity, your account numbers… with the goal to take your money.
I’ve talked in previous blogs about tactics such as Phishing (general), Spear Phishing (targeted), and Whale Phishing (individually targeted) to steal your information. These types of large-scale attacks are highly profitable, because of Layer 8. Statistically speaking, about 78% of people will never click a Phishing URL. That sounds great – but unfortunately, about 4% of people WILL click a Phishing URL. And if I send out a Phishing email to 1,000 people, getting back 40 responses is a pretty good rate of return. Especially considering sending out a Phishing email takes little to no effort for a hacker. By and large, the bad guys always know how to get your stuff. And statistically speaking, they will get some people’s stuff. The determined predator will eventually come out of the herd with a meal clamped in its jaws, kicking and thrashing – but ultimately, doomed.
Broadening the Horizon
So thus far, I’ve pretty much rehashed what I’ve already discussed in previous blogs. We’ve heard all of this before: don’t click on strange email links, and when Microsoft calls my house saying I have an infection, just hang up on them. To quote Garfield, “big fat hairy deal.”
Unfortunately for all of us, the field of Social Psychology is not limited to Cyber Security. The bad guys are not always merely after our money.
Sometimes they are after our souls…
<to be continued>
