Email – Deceptive By Design

On July 20, 2012, President Obama wrote in the Wall Street Journal:

Nuclear power plants must have fences and defenses to thwart a terrorist attack. Water treatment plants must test their water regularly for contaminants. Airplanes must have secure cockpit doors. We all understand the need for these kinds of physical security measures. It would be the height of irresponsibility to leave a digital backdoor wide open to our cyber adversaries.

The most widely used backdoor into data systems is the Advanced Persistent Threat (APT).  The most commonly used attack vector in APT is spearphishing – a deceptive email created by a thinking adversary with the intent of inducing the recipient to take an action that compromises systems. The most common actions desired by the adversary are for the recipient to open the targeted email and then open a malicious attachment, which then installs malware that compromises the data processing system.

What we observe in this cyber-attack is people attacking people. The attackers are using the tools of cyberspace, in this case email, to deceive people into compromising data processing systems. Dr. Frederick Chang, former NSA Director of Research, warns that:

… cybersecurity is fundamentally about an adversarial engagement. Humans must defend machines that are attacked by other humans using machines.

In Email – Deceptive By Design, Iconix explains how email favors the attacker in the adversarial engagement because email is a deceptive interface which is easily manipulated by the attacker.


Comments are closed.