Look out, it’s a glitch attack!!
This article describes a type of attack that is directed against hardware. The attack is defined “as attacks that involve causing a hardware fault through manipulating the environmental variables in a system.” The article goes on to say “When power, high-temperature sensors, or clock signals are interrupted, the CPU and other processing components can skip instructions, temporarily stop executing programs, or behave in other ways that can allow attackers to slip malicious instructions into the processing gaps.”
As you read on, you find out that this is not something easily done as it requires physical access to the hardware. If the bad guy has physical access to your hardware, the game is over in many ways. I find this conclusion very interesting: “Nevertheless, glitching may never replace social engineering as a way into office productivity computers.”
That having been said, can we apply the definition of this attack to people? Note that it involves “manipulating the environmental variables in a system.” What environmental variables do users face on a daily basis? Perhaps the most pervasive variable is email. Very few businesses could operate for very long without email. It has become the main method of communication and even data sharing (think attachments). Each day the average office worker may see hundreds of emails. Some important, some urgent, some requiring action, some just for information. A majority of these emails will have either attachments or links in the body.
Turning Off Human Sensors
Note that also mentioned was interrupting sensors or clock signals. In a computing device, the sensors indicate a change in condition (high temperature, low voltage) and may also be a warning of a problem. The clock signals are used to initiate events or program instructions at a certain time. What about your day? By now only the most naïve users (and if you have them, it is your fault for not educating them) believe everything they see in email. Your users should be trained to be skeptical of email. Phishing emails are designed to turn off this sensor. Emails are crafted to look like regular business correspondence or they may be designed to try to panic the reader into action (changing the clock signal or timing).
In physical attacks, the best defense is to prevent access. You have locks on your doors, more than one in some cases. For sensitive locations you may need very special items to get in; retinal access, fingerprint scans, biometric measurements. Unfortunately, you can’t lock up employees and prevent them from being accessed by email.
You can provide protection in some very basic ways. Repeated training on how to analyze email to detect scams. It is somewhat disheartening to see how old and somewhat transparent scams still work on people who should know better. Here’s a great example;
please go buy $200 in Amazon gift cards and send me the numbers. I am in a meeting and can’t be disturbed. Please do this ASAP.
No one at your office would do this without questioning it, would they? Sure they would. We see it all the time! So, how ’bout this one?
Due to a bank change we need you to wire the funds to our new account. Please send money to this account: 1274a4435225.
Again, this gets acted on too often. Policies can go a long way to prevent this type of fraud, as long as employees are acquainted with them and they are clear. Encourage people to ask about requests that are out of the ordinary and let them know that caution is better than speed. Training, training, and more training will help the message get out. These days, when money can be lost electronically in just seconds, glitches can be expensive. To learn more about security awareness training for your team, give Ashton Technology Solutions a call at 216 397-4080.