[BreachExchange] Humans: The weakest link in social engineering and cyber attacks

Audrey McNeil audrey at riskbasedsecurity.com
Mon May 22 19:09:48 EDT 2017


We’re all human; we make mistakes. But there are plenty of people out there
trying to take advantage of a simple mistake that could cost a business
millions of dollars.

Social engineering is the act of taking advantage of human behavior — or
that one little mistake — to steal confidential information. It’s a scam
that has been around for decades but it’s become a bigger problem thanks to
the internet and the rise of various forms of electronic communication. In
fact, 60 percent of businesses fell victim to a social engineering attack
in 2016.

Exploit natural inclination to trust

Social engineering works because it’s easier for hackers to exploit the
natural inclination to trust someone than to figure out a new way to access
a computer.

Google confirmed this month that a massive phishing scam hit millions of
Gmail users in the form of an email from a trusted contact who appeared to
be sharing a Google doc. To the unsuspecting eye, the email looked almost
as authentic as an email from Google, down to the URL and login page. If a
user clicked the link and granted permission to a fake app called Gdoc,
they might have exposed their contacts, emails and any personal information
contained there. Luckily, Google caught the attack quickly.

Consider this scenario: An HR staffer uses a work laptop at a coffee shop.
Using public Wi-Fi, this individual logs in to the company’s cloud-based
accounting software to work on payroll. A hacker on the same public Wi-Fi
network gains access to the company’s accounting software, putting the
business and employees’ personal information at risk.

Social engineering attacks don’t always happen online. For example, an
attacker could access the phone directory of a large company and pretend to
be returning a call from technical support. The attacker may leave a
message on the phone or get in touch with the person directly. While many
people who hadn’t filled out a tech support ticket may simply say, “Sorry,
you’ve called the wrong person,” the criminal is bound to reach someone who
had submitted a technical support request.

In this scenario, the attacker tricks the victim into thinking he can offer
help and asks for sensitive information, such as a password, to access the
computer or specific systems. He may then log in to the computer after
hours to steal information or launch malware.

Significant interruption to business

Unfortunately, by the time employees figure out that they’ve been duped,
it’s often too late. A business would be left to deal with a myriad of
costs, such as state mandated breach notification and credit monitoring for
impacted third parties, a significant interruption to their business, and
dealing with a potential public relations nightmare. In addition to
notification and credit monitoring, impacted customers may claim privacy
and personal injury damages, intellectual property infringement, financial
injury claims, or damage to their property.

The most important line of defense, in addition to business insurance
coverage, is to educate employees about these threats and put in place
protocols that help prevent social engineering attacks. These might include:

Guidelines for employees to regularly change their passwords for their
computer systems, accounting software, email and other programs where
sensitive information is stored.
Establishing a standard framework for how information is shared throughout
the company. Not everyone should have access to sensitive data, especially
if it’s not relevant to their job.
A policy for how sensitive information is asked for and given. For example,
bank or accounting information should never be shared via email or over the
phone; all inquiries should be made in person.
A policy for identifying employees in the office. For example, all
employees should wear badges that are shown when entering the office. If
someone claiming to be an employee doesn’t have identification, he or she
shouldn’t be let in until they can be identified. Visitors should also be
Safe document management systems and disposal services keep sensitive
information under lock and key so that prying eyes can’t get to it.
Tests for employees. Following training, employees should occasionally be
tested to ensure they understand typical social engineering and hacking
scams and don’t hand off sensitive information.

Because social engineering is an evolving risk, conduct insurance policy
reviews often to ensure that your client's business is adequately protected
should they fall victim to social engineering fraud.

We’re all human, after all.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170522/fe49765d/attachment.html>

More information about the BreachExchange mailing list