[BreachExchange] Why Your Staff Need To Think Like Hackers

Audrey McNeil audrey at riskbasedsecurity.com
Thu May 17 18:01:05 EDT 2018


My experience working for the U.K Police Cyber Crime Unit taught me that
hackers are increasingly targeting staff as a way to bypass your technical
defences. This type of attack, known as social engineering, provides
hackers with a better “return on investment” than tackling your firewall.

To best defend your business, staff need to be well trained. This needs to
go further than computer based, box ticking training. It needs to be an
investment in the development of a security culture.

Think like a hacker

One of the toughest attack vectors to spot is the spear phishing attack.
Spear phishing is a malicious email that is targeted at a specific person.

Imagine that you are a hacker. You find the company that you want to
target, for example – Vulnerable Inc.  You go online to find people who
work there. You come across Rachel, who works in the finance team and is
very active on social media.

You find her on Facebook, her privacy settings are fairly locked down so
you can’t see much.  She has 689 Facebook friends.  This probably means she
adds people who she hasn’t actually met.

You send her a friend request and she accepts.

Now all those privacy settings she has set up are null and void, you can
see everything. You browse her posts and build up a picture of who she is
and what she likes. Eventually you come across a post from last Wednesday:

“At Bristol Gourmet Burger Kitchen AGAIN tonight with the girls. Eating my
favourite the Tennessee Burger. I must be their best customer!!”

You Google “Bristol Gourmet Burger Kitchen”.  Once on their website you
take a screenshot of their logo, social media handles and address. You
start to craft a phishing email:

Dear Rachel,

We hope you enjoyed your Tennessee Burger last Wednesday. We are reaching
out to all our loyal customers to offer them a free meal. Register your
details by clicking the link below to redeem your free voucher. Vouchers
can be redeemed anytime but you have to register today. We look forward to
seeing you again soon.

Bristol Gourmet Burger Kitchen

You send the email to her work address containing a malicious link.

Why does this work?

The information that you insert into the email is designed to build trust
and familiarity. You add a deadline into the email to ensure Rachel acts
quickly and without thinking about things like “why would the restaurant
have my work email?”

What can you do?

Train staff: Staff should realise how information they put online could be
used maliciously.  If they can think like a hacker they can understand what
they should and shouldn’t post online.
Company policies: Make sure staff understand what to do if they do receive
a suspicious email.
Audit information online: You may be surprised what information is out
there that you may have forgotten to delete.
Website information: Keep information about staff to a minimum on your
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180517/c1bd6c3b/attachment.html>

More information about the BreachExchange mailing list