Hackers Focus Shifts to Soft Targets
By Robert Coro, Senior Manager, Assurance Services
Another company, another headline. It's easy to become numb to the number of times you hear about another data breach or security incident resulting in the loss of credit card or health records at some of the largest US organizations. With the bottom lines of these companies in the billions and information technology budgets in the millions, you may wonder why these organizations continue to experience data breaches or security incidents.
Organizations today deploy a "Defense in Depth" strategy utilizing multiple security countermeasures and tools to protect the integrity of their information assets. This minimizes the probability that the efforts of malicious hackers will succeed.
With the number of countermeasures deployed by organizations to mitigate their risks, hackers have turned their focus to a technique that targets human emotions and tendencies.
Social Engineering is a big concern for organizations, as soft targets such as employees, vendors, and service providers are being attacked. From the hacker's perspective, organizations have placed an emphasis on securing the perimeter, making the human factor a more appealing target. Organizations should continue to protect the perimeter but also complement perimeter security with strategies to protect and mitigate the risk of malicious, exploited and/or careless insider threats.
One of the most common ways outsiders are gaining access inside the network is through social engineering techniques called Phishing, Spear-Phishing and Whaling (Phishing). Phishing is the attempt to acquire sensitive information such as user names, passwords, and credit card/bank information by enticing individuals to click on a malicious link that directs them to a website that is infected with malware, or to download a malicious file through an electronic communication (email). The practice of spear-phishing is similar but uses specially crafted phishing emails to specific, targeted individuals, while whaling targets high-profile end users such as C-level corporate executives, politicians and celebrities. The additional information needed for a spear-phishing attack is collected by a number of methods, including social media, news articles, and other public information. Once an individual clicks on the link in the malicious email, it usually directs them to a website that entices the victim to enter their credentials or entices the victim to download malware on the victim's computer, which may allow attackers to pivot their access to other systems within the organization's network, bypassing security tools deployed to prevent unauthorized access from external threats.
Most social engineering techniques are successful because of human trust, fear and curiosity. There are a number of schemes a social engineer can use to entice users and infiltrate your organization. Many times the victim is unaware that they are currently or have been attacked. People fall victim to these schemes because they have not been properly trained or warned about the techniques used with social engineering.
Cost of Phishing Attacks
According to a Ponemon Institute report, phishing attacks cost large businesses $3.77 million annually. The costs are real and can damage the reputation of the organization and CEO. According to CSO online, CEO's are out of a job within six months of a cybersecurity breach.
Examples of Security Breaches due to Social Engineering
South Carolina Department of Revenue (2012): A targeted phishing email delivered to an employee at the South Carolina Department of Revenue opened the door for attackers to ex-filtrate Social Security numbers and other personal data belonging to millions of residents. 3.8 million records stolen.
Target (2013): Target's network was breached by using HVAC vendor's credential after falling victim to a phishing attack. 40 million credit card and debit cards stolen.
Sony (2014):A security researcher found that hackers used phishing emails to penetrate Sony Pictures Entertainment's computer networks last fall. Many top executives received fake Apple ID verification emails in mid-September that contained a false link. Upon visiting this domain, victims were prompted to enter Apple ID information into a fake verification form.
After obtaining Sony employees' Apple IDs and passwords, the hackers then presumably used these credentials in conjunction with employees' LinkedIn profiles to figure out their Sony network login information, all in the hopes that the employees had used the same passwords for work and personal accounts.
Ubiquiti Networks (2015): This incident involved employee impersonation and fraudulent requests from an outside entity targeting the company's finance department. This fraud resulted in transfers of funds aggregating $46.7 million from a company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties.
SevOne (2016): SevOne's data breach is believed to have been a cyberattack known as "spear-phishing." The scheme involves a "spoof" email that appears to come from a company executive requesting sensitive information from an unsuspecting employee.
In 2003, in their book, Hacking Linux Exposed, B. Hatch and J. Lee suggested adopting the following attitudes, which are still relevant today:
- "Train the users." Given that this type of attack is always launched against a person, the best way to avoid it is to ensure that all of your employees are aware of what to look for when it comes to social engineering tactics.
- "Be paranoid." The authors recommend "cultivating a healthy paranoia," as it is normal that hackers will be wary of using someone who doesn't seem to trust them. "They look for the easiest objective."
- "Ask them everything." It is advisable to always ask the person you are dealing with why they need the information they have requested. "The majority of social engineering attacks fail by asking the attacker questions."
- "Always check their sources." If suspicious of a request sent by email, verify it by telephoning the sender.
- "Learn to say no." When a hacker is applying social engineering tactics, it is normal that he or she does it by straying from the norms of the business or tries to get the victim to depart from standard protocol.
These attitudes should be adopted by users through proper and periodic security awareness training. Once users understand the techniques that hackers use to exploit them, they will be able to identify a potential threat and not fall victim.
In addition to proper security awareness training, organizations should implement strategies to mitigate the risk of loss and inappropriate use of data by malicious, exploited and/or careless insiders. Additional mitigation strategies to maintain the confidentiality, integrity and availability of data include:
- Security Policies and Procedures – provides guidance for what must be done to protect the business information stored on the network.
- Accountability – holding users accountable for their actions.
- Least Privilege Access - principle that grants access only to the information and resources necessary for its legitimate purpose.
- Controlling Sensitive Data – know where your sensitive data is stored and who has access to it.
- Data Loss Prevention Tools – tools designed to detect potential data breaches / data ex-filtration transmissions and prevent them by monitoring, detecting and blocking sensitive data while in-use, in-motion, and at rest.
Just as organizations implement a Defense in Depth strategy for the perimeter, organizations should implement a Defense in Depth strategy within the internal network to ensure the confidentiality, integrity and availability of data.
With the nature of social engineering vulnerabilities, organizations can mitigate attacks through awareness and training. All it takes is one individual within an organization to allow an attacker access to the organization's internal network. By exposing employees to social engineering techniques and examples, users will know how to recognize and avoid a phishing attack.
Being proactive in training employees to social engineering techniques can be the difference between successful or unsuccessful social engineering attacks. There are a number of tools and organizations that can help with security awareness training and mock-social engineering attacks to prepare employees to identify social engineering attacks.
Don't fall victim to a social engineering phishing attack. Don't delay in scheduling your security awareness training and mock social engineering attack. The network you protect will be your own.