As we've discussed previously in this book, there's a large disconnect for most people—the Internet is still another world, not quite in the real world. This allows most people to think the bad things that happen on the Internet often have no real consequences here, in this world. The digital realm as a whole seems to be up against some modern-day folklore. A failing to bridge this gap for the individual is cause for concern. I believe our duty as functioning members of this community—a community built to secure other communities—is to raise awareness among the masses that have no insight into our world and to help them also think like an attacker, just with more everyday utility. Teaching people this way of thinking will also bolster our efforts from within the community—educating people so they can more readily identify and respond to attacks.
As an individual, maybe you are very security-conscious and security-aware. Maybe your cyber hygiene is the stuff of legend. In that case, you may stop the phish, but will your bank or cell phone company? If they don't, your data can still be given to an attacker, and you are then compromised, which is where learning about security and privacy (separate, but related categories of security) is helpful, which I will talk about later in this chapter.
Moreover some factions are acutely susceptible, such as the elderly, who may not be tech savvy and are often targeted because they tend to have their financial affairs in order, making them the ideal target. Socially savvy kids are also targeted often. Children often lack experience in the world with adults outside of their families and so can fail to understand how quickly and easily they can be manipulated by outside sources. They likely cannot think ahead to foresee the dangers.
Regardless of whether you fall into one of these or another category, the vastness of the Internet and the spectrum of security techniques and advice is often daunting. It should come as no real shock, then, that the thought of an imposter, attacker, or malicious party existing, whose main concern is centered on gaining access to “our” world through the Internet, is outlandish to many people.
Moreover, there are two other things that become increasingly apparent as I talk to people outside of the infosec community. One is that there is a yawning gap between what ordinary people value as information that should treated as sensitive; the other is that privacy is a spectrum, not a standard. Both are cause for concern that require different solutions.
I believe there are a few science-based things we should keep in mind that will make the likelihood of a successful attack mounted against us, either digitally or in person, much less probable. The remainder of this chapter will cover those after briefly setting out why information matters so much and which types matter most.
Let's start with people and data. People are not aware of what constitutes as sensitive data, and it can be a hard task to bring many people around to the idea that data, or information that is seemingly benign, poses a threat to them if leaked. I wrote an article (Healthcare: Elite Data, 2020,
https://www.social-engineer.com/healthcare-elite-data/) which you can find in the notes section of the book (on the website) in which I stated that health data is elite data and noted that most people can't fathom the prospect of that data being worth anything. People tend not to look past the obvious when it comes to categorizing data as sensitive. Most people would agree that a malicious actor getting their credit card information would be detrimental, and that's because the effects are tangible: someone else having your credit card does stimulate fear—you can guess the outcome of that, even if you still prefer bartering. In other words, you don't have to own a credit card to know its functionality and what a criminal could do with it.
However, asking if it really matters if someone can find out their blood type or weight, or that they have a +3.00 prescription lens does not provoke the same level of anxiety or moment of sudden insight or discovery. Asking people if they should be concerned if the Internet crime leagues know they've been treated for high blood pressure or a broken foot five years ago raises no immediate suspicions or fear levels. Most people don't seem to care if a stranger knows about a recent heart attack or the onset of diabetes. In fact, most people shrug this off, wondering just how dangerous it could be for someone to know this type of information about them. Only after it's pointed out that these things don't change do people start to think about what it would actually mean to have that data fall into the wrong hands.
With traditional identity theft, banks and the Social Security Administration are able to work against criminals by changing details for us if our identities are stolen. However, health data is unchangeable this way. We can't change our blood type or our prescription lens. Worse still, we can't always change our mental health status or invisible injuries, such as anxiety, depression, schizophrenia, or bipolar depression nor diseases we've had or have. Data with any permanence makes it elite, and we, as the victims, can't always offset the consequences by reporting and disputing.
Taking it a step further, your genes play a massive role in who you are and what you are capable of. If you have taken a DNA test or something similar, your DNA has already been sequenced, at least in part. What if someone got ahold of this and sold it. But instead of the consequences being minor, they were published, and you had markers for a disease that made you seem very unattractive as an employee or for insurance (or both).
There's something else leaked elite data brings to the table: longevity of attacks. I can vish and phish you about that every day, forever. I can try as your insurance company, doctor, nurse, psychiatrist, therapist, psychologist, optometrist, or pharmacist; if you switch, I may be able to find out who you changed to and use the unchanging data against you again. That's the reality of the world we live in, so it's imperative that we all understand the risks and where they truly lie.
If you've read this book so far, you now know how an attacker thinks and targets. Apply this to your own life.
The concept of behavioral security needs one question put under the microscope if it is to succeed as a style of protection: why do we act in certain ways when we are being targeted? The response will inform how we go about mitigating the risks. To begin answering that, let's look at human psychology from the side of the target.
There are two fundamental components of our psychology and how they manifest as behavior. There's a cognitive component, which consists of your thoughts and beliefs about something. There's an affective component, which is how you feel about something. These form your behavioral outcome. AMs uses those two basic components against you as an individual, with the aim of shaping the outcome of your behavior to their advantage.
It's a hard game to win, mainly because you, as the target, don't know you are in a game. But by becoming aware of these biases that create human vulnerability and by lessening how much value you ascribe to interactions with strangers, and by following a process where there is no room for an exception to the rule, you will keep yourself safer, your employer safer, and the wider communities safer.
Defense starts in the brain. Because of this, I believe behavioral security deserves to be taken seriously as a branch of cyber- and information security. As I see it, and as some branches of science see it, too, we are all chock-full of weaknesses, irrationalities, and idiosyncrasies.
The best protection against a threat, physical or cyber-based, ultimately depends on the individual's own actions, knowledge, and attitude. It would be great if we were all emotional robots in a way; we could be programmed to act accordingly. But, as Richard Thaler pointed out in his book Misbehaving (W. W. Norton & Company, 2016), we are not rational beings, and from this, behavioral economics was born. Under the same lens, it's easy to see that we as humans do not act rationally when it comes to security. The effect of psychological, cognitive, emotional, cultural, social factors, and poverty of information on the decisions of individuals and institutions is often where security fails. Moreover, defense fails when people don't have the skills to think critically about what they're seeing and to examine claims of fact before accepting them as true. When we fully recognize this and put in place cognitive defenses, as well as physical and digital, our security posture as a whole will shift, helping you as a person, businesses, and communities as a whole get ahead of the attacker. The first step in building these cognitive defenses is to become familiar with how we are vulnerable to cognitive attacks.
We often act, or react, because we feel a certain way, and as you should know by now, the attacker mindset used in conjunction with social engineering is an effective tool for making a target feel the way the attacker needs them to feel to get their job done—whether it be fearful, joyful, or compelled. We can look at behavioral security in terms of irrational behavior and search for ways to counteract that behavior. Alas, we are all at risk of being a target, so target psychology is well worth our consideration, and combating weaknesses through behavioral security is the solution. The promise of behavioral security as applied to policy is to use people's weaknesses to help them achieve their business's goals. Make security seem simple and automatic. From things like the wording of policies to how they are disseminated, security must be shaped to make it easy to understand, remember, and act on. Behavioral security will allow us, as security professionals, to cease treating security only through ineffective technological defensive measures and start looking at the psychology of an attack and place defenses there, too. We must take security and mold it for human behavior, not just for technological pursuits of crime.
When Thaler coined the concept of mental accounting, he stated that people think of value in relative terms and not in absolute terms; they gain pleasure from how good the deal is, not just from an object's value. According to this theory of mental accounting, people treat money differently, depending on things like the money's origin and intended use, rather than thinking of money as money. MIT's Drazen Prelec and Duncan Simester found that people are generally more willing to spend a larger sum of money when they pay with a credit card than cash (“Always Leave Home Without It: A Further Investigation of the Credit-Card Effect on Willingness to Pay,” 2001,
https://web.mit.edu/simester/Public/Papers/Alwaysleavehome.pdf). They are also more willing to spend $10 on a theater ticket if they have just lost a $10 bill than if they have to replace a lost ticket worth $10 (Kahneman and Tversky, 1984, referenced in “Choices, Values and Frames,”
https://web.missouri.edu/~segerti/capstone/choicesvalues.pdf). But it is all the same; losing the ticket worth $10 is the exact same event as losing the $10 bill. This brings into play fungibility—money is interchangeable and has no labels. Here's where I am going with this: most people see security through a similar mental filter. People think of security (and money) through a subjective lens that often intersects with their feelings rather than thinking of it in terms of the “bottom line.”
Why should cybersecurity be treated any differently than physical security? Many people wouldn't try unknown doors on a dark night just to see what's behind them, but they will click unknown links from unknown sources, not looking too closely at the originating address. Many people wouldn't leave their cars or homes unlocked, but they will leave their computers unlocked. Many people will take the news seriously that thieves are operating in their area, going door to door, but not that hackers are always on the prowl and capable of getting on their network even though so much of our personal lives and details are held within the devices we connect to our networks. They won't stop filling in online forms with personal details that are collected and used maliciously. Most of us would not tell a stranger who happened to walk by us on the street where we had been and where we were going, but we will give people information on Facebook through check-ins or by labeling Instagram photos with location metadata. The parallels are endless, but the bottom line remains: people should think of security as, well, security. But to do so, they have to understand that there is crossover between what can be stolen from them online and what can be stolen on spied on in the physical world.
Reductively, security online is not so different from security in the real world: if you wouldn't tell a stranger, don't tell the Internet. Your privacy matters and is not the same as, but is linked to, your security. All data is sensitive data. If you can place yourself in the mind of an attacker, you will be able to assess more clearly and accurately what can be used against you and how. You might still choose to share information, but that will be your choice and at least it will be informed.
People should follow processes and treat security as an absolute, not as a relative and subjective thing, not based on how they feel about a person or email, and not based on where the requests and directives are coming from. Security should be fungible—interchangeable, not subjective. Creating simple policies that allow a person—any person, of any position or rank—to understand them easily and treat them as absolutes is a good start. And if you, as the individual supposed to implement the policies don't understand them, speak up. Ask people around you if they understand the policies, ask yourself how likely you are to uphold their directives. For the points that seem too far-fetched or unclear to you, raise them with your peers and management so that they can be carved into something more meaningful or clear—something you can follow. Following the right processes, no matter how they feel, is critical.
Recall the woman who really wanted to help me on my vishing call, which was meant to trick her. She followed every process the client had, was polite, seemed as though she really wanted to help, spent time trying to authorize herself to help, but ultimately ended the call when she couldn't verify me. She treated security as an absolute, not as a relative and subjective thing. She did not look at the circumstances and narratives I was presenting and find a way in her mind to let it work. She found no value in our unique interaction. It did not matter to her that I was trying to be sweet, charming. She beat me in a game of chess she didn't even know she was playing. But this is not common.
Finally, as a community, we can use every digital and physical tool at our disposal to protect people, communities, and businesses, and those efforts are a good start. But the real solution begins to take shape when people realize they're being subjected to cognitive attacks. Defense starts in the brain. Behavioral security should be taken seriously as a branch of cyber- and information security because, as humans, we do not always act rationally, so as security professionals, we must seek to understand individuals as they really are and how it matters to security. This has many contributing factors, such as cultures and subcultures within the workplace, the overall understanding of a company's optimal security posture and how far it is from achieving it, why it is important and how attacks might unfold.
We know security—digital, physical, personal, and professional—can be a scary topic, especially if you've faced online harassment, identity theft, or other online attacks. As an individual intent on avoiding becoming a target, there are things you can do to mitigate your risk. But first, you have to know how it feels to be one.
The amygdala is actually the amygdalae. They are a bilateral structure, one on each side of our brains, behind the eyes and the optic nerves. Bessel van der Kolk, a prominent doctor, calls them the brain's “smoke detector.” They detect fear and prepare your body for an emergency response. When you identify a threat, your amygdalae sound an alarm, releasing a torrent of chemicals, like adrenaline and cortisol. When this deeply instinctive function takes over, it is called an amygdala hijack, a term Daniel Goleman coined in Emotional Intelligence (Bantam, 2005). The common psychological phraseology states that you have been “triggered.” And all of the responses you have to amygdala hijacking are designed to move you into action. Complex decision making departs, as does your ability to perform multiple evaluations.
The amygdalae work with the conscious and unconscious areas of the brain to determine how to react to situations. When a stress response occurs, the sympathetic nervous system is activated, which is part of the autonomic nervous system, which controls all of our automatic functions, like the immune response, hormones, digestion, heart rhythm, and breathing. This is what an attacker relies on.
If an attacker says they have an appointment and that if you don't let them in, something bad will happen—the elevators will have to be shut down, or your boss's request won't be honored, or that your action will impact the situation negatively—there's a likelihood the amygdalae will be provoked. The most effective way out of this state is to pause. It may sound hippy-dippy and like therapy parlance, but it's the best way to reset your defenses and reassume your composure. Follow the process set out for you. Simplify it in your brain to an objective. Now you are thinking like an attacker, and now you're on the path to beating one.
Just having awareness of this, knowing that it can be used against you with nothing more than a sentence, is scary. But it's the first step of defense. You can always pause. Regain your composure, take a few breaths, and wait until your mind can reassess the situation and reply as you see fit. Treat security as an absolute, not as a subjective thing. Place little value on unique interaction with someone trying to bypass normal processes. There's a chance they want you to feel and then act in a certain way.
Acting in a security-conscious way doesn't come down to how the situation makes you feel; it comes down to the process for the situation.
Another area where amygdala hijacking is rife is with a trendy phishing scam that relies on sextortion. A target will receive an email that claims their computer has been hacked and that intimate recordings of them, for example using a porn site or partaking in sexual activities, have been obtained. Some versions of this scam even include the person's password for an online account or may appear to have been sent from the person's own email address. It's hard, without the proper knowledge, to not fall for this. The email will then go on to blackmail the target, threatening to release the footage unless a payment is made. This is often an emotional event, and all the deep breaths in the world might not help because there's often no process to follow in our personal lives (unlike in our professional). This is where reasoning and education come into the mix. Still take the time to calm down and then perform research. Depending on how tech-savvy you are, your research might be reaching out to a friend or trusted source.
For closure's sake, for this sort of phish and any other, don't respond or send any payments. Immediately change your password(s). A good resource is the website Have I Been Pwned?. It allows you to check if your email address is listed as being affected by one of the large data breaches included on their database. If your email address is listed, go ahead and change the emails for all listed accounts, and if you reuse passwords over multiple accounts, change those, too. You should also mark the phish as spam and delete it.
If you ever end up sending money using your credit card, you must talk to the company, and the same goes if you happen to have paid from your bank account. If you pay with Bitcoin the transaction is likely untraceable.
Think of yourself as one person with multiple attack points. Remember, as far as AMs is concerned, every piece of information that exists about you can be tied back to the objective of targeting you— the attacker will weigh up all the information they find about you and assess whether or not it is good or bad in terms of their objective. Learn and lean into the fact that privacy limits the amount of information an attacker can discover about you, and security prevents unauthorized access to your accounts/events. You need to implement both to have a cohesive strategy. There are best practices that apply to everyone, and there are practices that are specific to you and your footprint and needs only. See what an attacker could find on you, and think about how that would affect you.
You should eliminate all unnecessary pathways, including old posts on social media and emails no longer in use. Think like someone who wants to get your most valuable possession, your deepest secrets, or into your safest places. You might also attempt to OSINT yourself. See what you could put together, based on the information available online about yourself. You could include reverse searching and analyzing pictures you've posted to see if there is anything in the background that gives away information that could (a) locate you or (b) be sensitive.
You might also look at your location. Where does your house sit on the street? Who can see into your house and from where? These are important questions to ask if there's ever a chance you could be spied on. You might also consider the pictures you post of your house's interior online. If you post the cute picture of your cat on your keyboard, are you also posting the apps you have on your computer? What about the hardware you use? It can all be valuable to an attacker.
There's also the issue of when you decide to sell your home. Those images tend to live online for a long time. You might consider taking images of your family members down and also keeping other sensitive information, like mail and hardware, out of view.
Get educated on good techniques to protect yourself, like using VPNs, password protection, two-factor authentication, and privacy-centric email providers. “Extreme Privacy: What It Takes to Disappear,” 2020, offers tips on how to hide, such as removing your information from databases, ways to circumvent providing your cell phone number, protecting your address, and registering your residence and vehicles in trusts or LLCs, etc. That might be too far for some readers and sound like the stuff privacy dreams are made of.
I recently gave an interactive speech to one of America's three-letter agencies, where I said that if you go to a hotel, check the position of the cameras relative to your room, have your room point onto the street, not somewhere obscure, so that, should someone try to break in, they will be seen. I also noted that you should ask for a room that is not on the ground floor to make access harder; when traveling, you should keep your devices under the seat in front of you where you can see them at all times; and that you should not check your accounts while traveling and that, if you can, avoid taking photos. To be honest, no one seemed very galvanized by the advice. It was taken with more of a “Well, yes, of course” reaction.
The advice applies to regular individuals as well. When I say it to “regular” people, however, they are always taken aback. They always want to delve into the topic and make me answer if that's something they should take seriously… I suppose it applies to some people more than others, but I don't know all of you. My suggestion is to take the advice if you think it's necessary for you to do so. Only you can decide that, but if you want to think like an attacker to beat one, you should consider it. After all, treating security as an absolute is the name of the game. Take the safer room; be cautious of your possessions as you travel. Be careful of the information you share at any time.
You should also be careful how you store confidential information. Use encrypted computer hard drives, USBs, and so on, to contain sensitive information. Never leave your systems unattended. Always protect them with strong passwords.
In all honesty, a sharp AMs pointed against you as an individual is a hard thing to dodge. It takes full awareness, knowing and accepting that an attack could target you without you knowing in the moment. Such attacks can be brazen, almost effortlessly convincing you to hand over items of access that are seemingly harmless.
There are a few steps you can take that I will list here, because they become more viable and valuable with the awareness of attackers and their mindsets now that you've read this book:
With that said, there are other things, less often advised, you can do to protect yourself, such as redirecting and reflecting questions back at people who are inquisitive about your life. It's actually a good way to make friends, too, contrary to popular belief. People typically want to talk about themselves, not you. Let them.
At work, you should be wary of anyone asking what kind of software you use or the name of the person responsible for maintaining your computer network. We know attackers pose as coworkers, repair technicians, IT staff, and convenient outsiders with an apparent legitimate need to know such information.
Network security is also an area that requires attention. The traditional measures mean using antivirus, passwords, keeping your devices, browsers, and apps up-to-date, and similar steps. Measures introduced by behavioral security, where we treat security as an absolute, mean knowing and sticking to effective processes. Don't log on to public Wi-Fi without a virtual private network (VPN), ever. Delete sensitive information when it's no longer needed, and do it weekly. Do not fill out forms online, such as quizzes and informal questionnaires. Do not click on anything in an email without hovering over the link or checking it in a virtual machine. There's so much you can do to be safe. The bottom line is that you have to research best practices, decide which to use, and then carry them out religiously.
Finally, threat modeling looks within. An attacker's mindset is formed by also looking at you and your information. The less you give them, the better. For the information you do give out, threat-model it. Ask what is the worst that can happen with that information, and work backward from there to mitigate that risk or plan for the eventuality of it being used against you.
Treat your security as seriously as an attacker looking to harm you would.
If you are security conscious, be security conscious everywhere. The real solution will begin to take shape when people start realizing they're being subjected to all attacks via cognitive attacks. Defense starts in the brain. The promise of behavioral security as applied to policy is to use people's weaknesses to help them achieve their business's goals.