Arun Vishwanath - The Weakest Link: How to Diagnose, Detect, and Defend Users from Phishing

THE WEAKEST LINK

How to Diagnose, Detect, and Defend Users from Phishing

ARUN VISHWANATH

The MIT Press

Cambridge, Massachusetts

London, England

2022 Massachusetts Institute of Technology

All rights reserved. No part of this book may be reproduced in any form by any electronic or mechanical means (including photocopying, recording, or information storage and retrieval) without permission in writing from the publisher.

The MIT Press would like to thank the anonymous peer reviewers who provided comments on drafts of this book. The generous work of academic experts is essential for establishing the authority and quality of our publications. We acknowledge with gratitude the contributions of these otherwise uncredited readers.

Library of Congress Cataloging-in-Publication Data

Names: Vishwanath, Arun, author.

Title: The weakest link : how to diagnose, detect, and defend users from phishing / Arun Vishwanath.

Description: Cambridge, Massachusetts : The MIT Press, [2022] | Includes bibliographical references.

Identifiers: LCCN 2021060548 (print) | LCCN 2021060549 (ebook) | ISBN 9780262047494 (hardcover) | ISBN 9780262371964 (pdf) | ISBN 9780262371971 (epub)

Subjects: LCSH: Phishing. | Computer security. | Computer networksSecurity measures. | Computer crimesPrevention.

Classification: LCC HV6773.15.P45 V56 2022 (print) | LCC HV6773.15.P45 (ebook) | DDC 364.16/8dc23/eng/20220307

LC record available at https://lccn.loc.gov/2021060548

LC ebook record available at https://lccn.loc.gov/2021060549

d_r0

List of Figures

List of Table

This book is a culmination of a journey that began with a spear phishing attack my institution received more than a decade ago. It was a new form of attack for the time, different from the all-to-common Nigerian phishing email. The attack occurred when I was studying the psychology of technology use and testing different ways of framing messages to persuade users into using their devices optimally. It was this fortuitous timing that led me to recognize the potential of this new attack vector, to my overall body of research on user risk from phishing, and ultimately to this book.

The research journey that followed took years of trying and failing. Many helped along the way. Among them were numerous students who worked on my research. Some worked for course credit, others coauthored papers with me, still others served as subjects, volunteering their data. This book wouldnt have been possible without their contributions. There were also agencies and organizations that lent invaluable support. The National Science Foundation provided some of the initial funding. Other organizations allowed me to test my approach on their employees. They provided data and insights into the challenges they faced, which guided the development of the cyber risk assessment approach. I am thankful to each of them.

There are many others. Most notably, Bruce Schneier at the Harvard Kennedy School, who inspired and mentored me through the arduous book writing process, and Jeff Dean, my former editor at Harvard University Press, who was among the first to see the books potential. I am forever grateful to them. I am also thankful to the entire editorial team at the MIT Press, who stepped up and shepherded the book through the publication process. Others include Dr. Loo Seng Neo, formerly at the Singapore Ministry of Home Ministry (and the rest of the behavioral science research team headed by Dr. Majeed Khader), and Simon Pavitt, at the UK Ministry of Defence, who helped refine the cyber hygiene inventory. They, along with the community of national security and law enforcement professionals in the United States, the United Kingdom, Europe, and Australia, helped shape this book, and I am grateful to all of them.

My final, deepest gratitude is to my family. My wife, Leslie, and my children, Vera and Dean, patiently suffered through my years of research and writing. Without their support, the book wouldnt have happened. Without them, none of it would matter. Thank you!

It was Monday, November 24, 2014. Employees logging into their computers were greeted by a locked screen, across which flashed a menacing image of a fiery red skull with long tentacles with the message Hacked by #GOP. Accompanying it were sounds of gunfire, a poorly worded warning alluding to the theft of all the companys internal data, and a deadline of 16 hours to comply with a demand. This was the beginning of a hostage situationone that would rewrite the rules of cyber warfare forever.

The company under siege was Sony Pictures Entertainment (SPE). A hacker group named GOP, short for Guardians of Peace, demanded the stoppage of The Interview, a Seth Rogen movie slated for release on Christmas Day that featured a comical plot to assassinate North Korean leader Kim Jong-un.

As harried SPE employees restarted their computers, the malware kept finding newer hosts, quickly leaping from computer to computer, jumping through networks and then through servers. Within an hour, the attack had infected all SPE computers in Los Angeles, then New York, and soon across all continents. Within a few more hours, everything digitalfiles, data, emails, messages, scripts, storyboards had been irretrievably lost.

Writing for Fortune magazine, Peter Elkind detailed the scale of the destruction: It erased everything stored on 3262 of the companys 6797 personal computers and 837 of its 1555 servers. To make sure nothing could be recovered, the attackers had even added a little extra poison: a special deleting algorithm that overwrote the data seven different ways. When this was done, the code capped each computers startup software, rendering the machines brain-dead.

Over the next few weeks, the hackers dumped batches of confidential files on publicly accessible file-sharing hubs. These included emails among SPEs leadership team, the salaries and social security numbers of 47,000 employees, passports and visas of various cast and crew members, unfinished and finished scripts of yet-to-be-released movies, and even information about SPEs corporate vendors, such as the salary data of over 30,000 employees of Deloitte, its accounting firm. In all, hackers stole and released over 100 terabytes of data.

By mid-December, the Federal Bureau of Investigation (FBI) had officially attributed the breach to North Korea. The overall cost for system cleanup and recovery would be a staggering $45 million. Thats without accounting for the firing of SPEs studio chief, Amy Pascal, and others in top management; the loss of revenue from the leaked movies and scripts; the class-action lawsuits from employees and vendors; and the months of embarrassment from the trove of confidential emails that revealed not just the insides of the movie business but also SPE executives antipathy toward President Barack Obama and various Hollywood stars and starlets.

But while the media were busy covering the salacious gossip, there was a critical question no one asked: how could a country like North Korea pull off such a major cyber breach? To put this in context, all of North Koreas 24 million inhabitants have access to just about 28 websites, and only 0.3 percent of its entire population7,200 peoplehave unrestricted web access. So how did this technologically unsophisticated nation push one of the worlds foremost technological corporations back to the precomputer age, where employees were now resorting to Post-It notes and bulletin boards for communication? The answer is spear phishinga virulent, internet-based social engineering attack that I had been tracking, researching, and warning about for almost a decade.