Christopher Kayser admits he was once suckered by a phishing lure, which is ironic considering he’s a cybersecurity consultant, researcher and author of a recent book that tries to explain why people fall for such scams.
It was supposedly an email from an airline he regularly uses, Kayser said in an interview from his Calgary home. The email featured special pricing on fares. He clicked a link. Nothing happened, but that’s because the malware was silently downloading.
“And I looked at the screen and thought, ‘You silly bugger.'”
No serious harm was done. It did mean Kayser was one of the thousands of people around the world who have been duped since the age of the personal computer began. And it sort of makes him competent to write about social engineering.
His message to anyone with a computing device is “don’t be quick to click,” which, of course, he was that day.
“I try to tell people to slow down, think about what they’re looking at, understand that they have to be right every time they touch a keyboard, but the cybercriminal only has to be right once. And that one time can change your life if you lose your identity, your social insurance, if your bank account gets cleaned out, or if your credit gets ruined.
“So what I wanted to do is write a book that did two things: One is helping people that weren’t super-literate in how to protect themselves as best they could using technology [and] to remind people that becoming too close to technology is not necessarily a good thing. Sometimes the more advanced we get the less cautious we become, and that can be catastrophic.”
His book, Cybercrime through Social Engineering, is a 290-page distillation of cybercrime (hacker tools, ransomware, CEO scams, phishing, the phases of an attack) and how people and organizations can protect themselves (multi-factor authentication, cyber insurance, penetration testing the need to create effective cyber policies). Non-tech managers and individuals will find it a useful introduction to a vast subject and warning signs to look for.
The centre of the book is a concept Kayser and a Boston University colleague are developing called Required Elements for a Social Engineered Cyber Attack Theory (RESCAT) to explain how users of technology react to social engineering attacks.
Briefly, they believe two factors — human nature and human curiosity — determine what people will do when faced with an enticement. As many infosec pros know by now, attackers try to manipulate people through emotions including fear, urgency, greed, guilt, helpfulness and obedience. But they also believe generations play a role in decision-making. For example, Traditionalists – those born before 1945 — are cautious and less likely to click. Younger groups who are more at ease with technology and think rules don’t apply to them may be more trusting. Which is why, Kayser writes, that a “one-presentation-fits-all” approach won’t be effective.
There’s a lot of research and testing of the model to be done, Kayser acknowledges. But if it’s accurate, he says it could help develop awareness programs to help users of technology be more aware when faced with something that looks convincing.
Actually, it wasn’t that supposed airline fare offer that triggered Kayser to write a book. It was a CBC interview with a firewall vendor who said his product catches 92 to 98 per cent of cyberattacks. Asked about the rest, and the rep said it was up to the user to catch. “That just about floored me,” Kayser said, figuring it left a “staggering” number of people who could face a cyber attack.
‘People need to know’
“Think of 4 billion people around the planet who are using smartphones, computers and look at cybercrime rates, look at legislative restrictions that inhibit the ability of law enforcement to successfully detect, charge, extradite, prosecute cybercriminals. Look at the wealth, look at the Darknet. Look at the risk-reward that goes on with being a cybercriminal.
“You have, I think, the most invasive and destructive form of crime in history going on and people need to know about this. They need to know how to reduce the rate of potential cyber victimization and how to become more cyber safe and cyber-savvy to the best of their ability,” said Kayser.
A 23-year veteran of the computer industry who started as a programmer and rose to become lead manager for a software project for a major Canadian bank before switching careers to manage financial portfolios, Kayser did well enough to go into semi-retirement. Then he studied criminal justice, eventually earning a Master’s degree at Boston University in criminal justice and cybercrime.
“Social engineering is ingrained in us,” he said, meaning at a young age people learn to manipulate others for a reward: Babies cry until they get fed, children throw tantrums until they get a toy. Parents tell their teenagers, “Clean your room and we’ll go to McDonald’s.” Bill Gates, Kayser observed, once said he uses “negative motivation” to spur employees.
Gullibility and forced habit
Still, after years of (sometimes sporadic) corporate awareness training and news articles, users still fall for scams. “It’s a combination of gullibility and forced habit,” Kayser said. “There are assumptions people make.” One is IT manufacturers are doing everything possible to make sure people aren’t victims. Another is their ISP is doing absolutely everything in its power to make sure nothing resembling malware gets through. That’s part of his RESCAT theory. Many assume, “The world is looking out for me.”
Another factor is people are in a rush. Many successful cyberattacks happen on a Monday when people come into the office to face a pile of emails. Staff want to be efficient. They read too fast, there are distractions and the caution that they might exercise on other days is gone.
It would help, Kayser says, if cyber awareness was taught in early grades.
Advice for CISOs
Asked what effective corporate cyber awareness training looks like, he pointed to efforts by Canadian banks. In one institution, keyboards have been configured to have a button staff can push to alert IT if they get a suspicious email. But organizations also have to set and enforce responsible use of technology, he said, such as refusing to allow personal surfing during working hours.
And beyond training it may be necessary to make corporate directors responsible for security incidents, he added. Meanwhile, CISOs have to understand the fact that everybody’s busy, stressed, particularly today.
“Most people are trying to do the best they can within the organization, but their priority is not cyber safety and cyber awareness … So it falls upon the CISO to develop education programs and processes that can safeguard employees through automatic processes as well as supplying employee education about the real risk of potential cyber victimization.”
Training needs to be tailored to the audience, he stressed.