[BreachExchange] Defending Against a Hack Attack

[Audrey McNeil]

http://opensources.info/defending-against-a-hack-attack/

In the new world of social networking, it is much easier to gain useful
information about a target than it ever has been before.  Social networking
is a hacker’s paradise.

The most dangerous hackers currently focus on finding accounts that lead to
deep penetration of networks—which means your personal accounts can also
put your company at risk.  Your personal identity can be a vector for a
hacker to leverage your relationships.  Your workplace, colleagues,
properties, investors, clients and friends can all be made vulnerable
through your Facebook or Twitter account.

>From a hacker’s perspective, finding a vulnerability on your personal
accounts is a golden opportunity. Learning your passwords is just the
beginning of a hack.  The bonanza comes when the hacker is able to use your
personal information or social media connections (or Facebook
relationships) to determine where you work, volunteer or invest. Using your
password to log in to your work servers, the hacker will sit quietly,
watching the patterns on the network and gathering information about the
environment. Typically, hackers create what are known as lateral accounts,
which enable them to get back in “legitimately” under their own logins.
Then they give themselves new permissions, allowing them to access deeper
levels of the network.

Once the hacker figures out where personally identifiable information is
stored, or information about clients and investors, they will exfiltrate
the data, accessing it with an apparently legitimate account they have
created.

Trouble Under the Radar

No longer does a hack necessarily mean that your network blows up, gets
ransomed or otherwise is obviously visibly compromised. It is far more
likely that a compromised network will go undetected for the national
average of ten months while exfiltrated data is continually mined, used to
gain more footholds in more networks and sold on the Dark Web.

As a side effect, senior people in an organization will often find their
personal accounts penetrated and their email accounts taken over. Consider
the mayhem that can occur if the CFO of a commercial real estate management
firm receives an email purportedly from the managing director requesting a
wire transfer for $5 million. If a hacker sent that email, and the firm has
no procedure for confirming its validity, the company could quickly be out
$5 million. And because cybercrime insurance policies rarely cover the
voluntary transmission of funds by an employee, there is no recourse.

Even more frightening is the potential for a hack to extend beyond its
original borders. The sensitive data that exists on most CRE firms’ servers
contains everything from personally identifiable information (often called
PII for short) to institutional investor information, critical information
on properties and even the software that allows for remote property
control. Getting hold of that data, in combination with the names and email
accounts of trusted CRE advisors, can help a hacker create multiple
penetrations that can be extremely profitable. Getting into the controls
for a building can be an opportunity to take over operations, impacting the
tenants of unprotected management firms.

Safety Measures

Fortunately, most people can protect themselves from even highly
sophisticated attacks by taking a few steps that require relatively little
effort.

Monitor your social networking permissions. Make a monthly appointment with
yourself to review and update your social networking security settings.
Review those for your company accounts, as well.  The major networks are
constantly updating the ways in which you can protect yourself. And while
you’re at it, change your passwords.

Use two-factor authentication. Two-factor authentication is becoming
increasingly common because it relies upon more than one aspect of your
life to protect your account. Sites like Twitter have long offered
two-factor authentication, validating access from unknown devices by
calling or texting a different device. You can turn on this option in your
settings.

Isolate and protect your assets. Just as using the same password on
multiple sites can allow compromise, keeping your properties’ or investors’
information on the same network as your daily operational information is
risky. Isolate your property systems and information, and protect each
network independently.

Hang out with a good crowd. If your mom’s Facebook account is compromised
and you are linked to her, you too can become a target. Help educate your
friends, associates, and particularly your vendors about their own
cybersecurity. Smaller firms that serve commercial properties are often
underserved in information technology. Extend your resources to help them
bring their systems up to par and to educate their employees.

Implement strong processes. Your critical processes need to be well defined
and well documented. Wire transfers should require at least two parties to
authenticate before a release. Changes in information about clients,
particularly about their banking arrangements, should require at least two
forms of contact with that investor. When processes are automated, ensure
that there are enough controls in place that no information or funds can be
released without prior human approval.

Today, your personal social networks can also affect the security of your
company.  Take a few simple steps and you can safeguard both your personal
activities online and your critical business network.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161028/c3ee2d35/attachment.html>