When was the last time you updated your security procedures to regulate employee access to information? How educated are you on the latest online phishing threats?
As mentioned last week, Hackers have a general methodology to their attacks. In a previous post I briefly mentioned the Reconnaissance and Scanning phases of an attack. That is where the pieces to the puzzle are located and brought together to be analyzed for the sake of putting together an attack strategy. Though not necessarily the next step, many hackers may then choose to focus on the human side of the infrastructure, often considered the weakest link, its users. Unfortunately no security system, individual device, or software solution can fully protect you from an attack if your people aren’t properly trained and given policies and guidelines to adhere to.
Verizon’s recent Data Breach Investigations Report pointed out a study of 150,000 phishing emails sent by its partners found that 23% of recipients opened the message and 11% opened the email’s attachment. That’s potentially 1 in every 10 employees opening a malicious attachment that could severely damage your business. Combined with the right form of malware and you could be dealing with a hack similar to Sony’s within a few hours or days.
Hackers these days highly rely on a user’s misunderstanding and lack of training to gain the access they require. You have seen it many times in the form of phishing emails and websites. Whether it’s asking you to verify your American Express password following the link provided, or calling you directly and claiming they are a Microsoft employee hired to clean out infections they were alerted about from your computer. These are all considered a form of Social Engineering. Some hackers will even go directly to this stage because of its extremely high level of success.
There is a case study found in the book Social Engineering: The Art of Human Hacking by Christopher Hadnagy, where the author (a well-known social engineer/hacker) who was hired by a business to test their security posture. In his test he found information about the CEO using sites such as Google, Facebook, Yelp and even the companies very own website. From this he developed a plan of attack that used the CEO’s philanthropy against him.
Hadnagy created a fake cancer research organization after discovering that the CEO had a family member with cancer as well as past donations to other cancer research groups. From there he called the CEO right before close of business and presented his fake organization. He even threw in a raffle for a pair of tickets to a Mets game (favorite team on Facebook) and a gift certificate to one of three restaurants (one of which was his favorite, yelp review) and told him he would be automatically entered when making a donation. The CEO agreed. Hadnagy sent him a malicious PDF and that was game-set-match. Though this may seem unfair, it was extremely real world. When a hacker wants something bad enough, he/she will go the distance to get it.
So how do you protect your security system against a hacker’s deceptive social tactics?
Implementing a spam and web filter are great first steps to protecting your business and its employees from itself. These solutions work very well together to eliminate email and website threats before they even reach your employee’s computers. In some cases you may be able to implement multiple layers of both to help catch things the first layer may have missed. This strategy is considered Defense in Depth which I will further discuss in a future post.
Let us not forget that these attacks can also be in the form of a “friendly” phone call, a “lost” USB drive or even an in person visit. Ultimately the best defense against social engineering comes down to your employees and making sure you invest in their security awareness. Communication is key, but we must also remember that we all make mistakes; we just need to minimize their frequency.