The Human Factor: the weakest link in the chain

Unfortunately, human trust is something that has actively been exploited for thousands of years.

In an emerging world of new mobile technologies, a well-established attack surface grows along with everything else. The following graph demonstrates the mobile subscriber growth over the past eight years:


The next graph shows Google’s mobile search traffic growth over the past three years.


Combined with the equally rapid growth of social networks, client-side attack is the growing giant of our days. The main characteristic of such attacks is the end user interaction. It needs the victim to trust some content provided by an entity which appears to be legitimate. Unfortunately, human trust is something that has actively been exploited for thousands of years.

Traditionally, network perimeter security devices, such as Firewalls, IDS/IPS systems and Proxies were the first line of defence for attacks against the internal systems where all the critical business data resided. Over the years these technologies have matured and are now at a level that can offer robust inbound security. But a Firewall for example cannot stop all traffic. Specific services, critical to the business, have to be allowed through. Inbound email and outbound Internet access are business requirements and access to these services has to be granted.

An attacker will always go after the low hanging fruit first, whilst keeping in mind their end goal which is data access. The first obstacle for them is perimeter security. Breaking the perimeter is much harder today than it used to be. The only viable route into the network is usually email. This is more than enough for an attacker’s purposes and, as simple as that, the Firewall has just been taken out of the equation. As users have access both to the internal network and the Internet, their desktop computers are usually less hardened than other systems. The fact that most often they run outdated and vulnerable client software to perform their tasks, makes them the ideal target, enabling the attacker to gain a foothold on the user’s machine and consequently the internal network.

Inconsistency in privacy settings gives attackers the data they need

In order to plan such attacks, someone needs to gather information and profile their targets, with the most popular source for such quests being the Internet and in particular the social networks. The combination of the personal and professional networks where the users willingly and regularly update their status can offer a wealth of accurate information. Many times users are found to enforce strict privacy settings on one network, and at the same time be a lot more liberal with the information they publish on another. Eventually the attacker will profile these targets and start crafting the next phase of the attack.

To deliver their malicious payload, attackers will usually either select some sort of social engineering/spear phishing attack, such as an email containing a URL that is pointing to a system under their control and wait for the user to visit it, or exploit vulnerabilities in end user software that is present on the target’s system. Adobe Reader, Java, Flash and MS Office are some popular examples of software exploited in the wild for many years.

Another threat, known as Advanced Persistent Threat (APT), makes defence even more challenging. An APT is characterised by sophisticated malware which avoids detection and operates on the target network in the long term with the purpose of harvesting specific information. It differs from traditional malware as it won’t infect random vulnerable systems, but it will instead be much more targeted. The Stuxnet worm, which was developed to target SCADAsystems, and the Mandiant APT1 report, which presents a number of malicious attacks originated by foreign governments, and the Shamoon virus which massively wiped computer systems are just a few examples.

The boundaries of networks have further expanded with the introduction of smart phone technologies. Mobile devices such as these have experienced a vast increase in performance, providing them with the capability to have a large impact on networks. Smart phones have become a large part of modern life, and we consequently put huge trust in them. Many people depend on them for accessing emails and other forms of data in a secure manner. This information can range from personal to high profile sensitive information about an organisation. It is for this reason that smart phones have become a target for attackers.

Connecting to networks outside the corporate infrastructure can compromise either’s security

An attack can compromise a user’s device, and access its sensitive information. Furthermore, remote access to a compromised device can be used as a new entry point to a corporate network. If a mobile device were to be associated with a company network, any other devices connected to that network are potentially accessible from the smart phone. As many users use their mobile devices from home, connecting to their private home network could expose their devices to attacks, as the device would no longer be protected by a managed corporate network.

Attackers could launch a silent attack against a smart phone when it is dormant, and wait for the device to connect back to the corporate network. As this device is already associated with the network, it is considered to be a trusted device, granting the attack a much larger attack surface and the ability to gain access to the network from the inside. Smart phone security has come a long way over a short period of time, although it can still be found vulnerable to security issues. It is for this reason that mobile devices such as smart phones should be considered with caution when allowing access to a corporate infrastructure.


The rapid expansion of smart phone technologies and their worldwide adoption has come with a price. When users willingly give away personal information and, at the same time, lack security awareness, attackers can very easily profile them and deliver personalised client-side attacks. So hackers don’t have to find the business; it’s the users who are leading them to the front door. APTs make the task of security even more challenging.

Businesses often prefer to focus on restoring security on existing infrastructure, which has already proven to be weak, rather than building their security on a new secure foundation. This only makes attackers’ lives easier. Rebuilding a system on a secure foundation from scratch is not a trivial task to achieve and it takes time, but, given the fact that the human factor won’t change, it is businesses’ best bet.




MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 14001 in the UK, an internationally accepted standard that outlines how to put an effective environmental management system in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR are approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by CESG for the services we provide to Her Majesty's Government.
As a Certified Simulated Attack Manager and Certified Simulated Attack Specialist, MWR are authorized by CREST to perform STAR penetration testing services.