This is the tenth in a ten part series on information technology security from SBAM Approved Partner NuWave Technology Partners.
Read Part 1
Read Part 2
Read Part 3
Read Part 4
Read Part 5
Read Part 6
Read Part 7
Read Part 8
Read Part 9
In the very first article in this series we discussed how every network is a target, the value of information stored on all networks and the automated way that many attacks are launched. In this article we will discuss the most vulnerable part of the network, the humans that use it. That is right, YOU Are the Target!
Social engineering is the psychological manipulation of people into performing actions or divulging confidential information. Since most employees are unaware of the techniques used, social engineers are able to play on a person’s needs, emotions, or natural desire to help to get confidential information. They may gain small pieces of information for several different people that can be put together to gain access to a system. Some of the techniques used are:
- Pretexting: creating and using an invented scenario to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances.
- Phishing: sending an email with a link that leads to a fake website, that is an identical replication of the real one (often a financial institution), that asks for confidential information.
- Spearphishing: this is a targeted attack at a specific person or department. The attacker uses social media to gather information about the person or group such as a high level person’s name that the target would be familiar with (their boss or company CFO or CEO) to request the victim to divulge confidential information.
- Quid pro quo (something for something): the attacker calls several people in a company pretending to be their help desk. Eventually they find someone that has a problem and begins to help but, gets the victim to disclose confidential information or type in commands that give the hacker access to their system or network.
- Tailgating: In buildings or areas that have electronic access control, a person with a legitimate badge swipes in, then out of common courtesy holds the door for the attacker who shows a fake badge or explains that they have forgotten it.
Without proper and repetitive training, employees can be easily tricked or manipulated into assisting in these types of attacks. The SANS Institute offers a set of short three to five minute videos that many organizations require all of their employees to watch on an annual basis. These and other resources can be found at https://securingthehuman.sans.org/resources. The awareness posters on this site are excellent. Some other good resources are:
- https://www.knowbe4.com partially owned and operated by Kevin Mitnick, world famous hacker now turned security consultant
- http://krebsonsecurity.com written by Brian Krebs former reporter for the Washington Post that specializes in covering security stories
- http://krebsonsecurity.com/category/data-breaches only read this if you do not want to be able to sleep at night. On this page, Brian discusses, in plain English, high profile security breaches and how they happened. It is a very interesting and informative site.
- https://www.privacyrights.org/data-breach this site not only has a search engine to look up data breaches, it also has many resources about reporting requirements and your rights if your personal information has been breached.
If you spend even a few minutes browsing these sites you will quickly realize, as was discussed in the password article in this series, how important it is to use a different password on each website that you have to login to. While this is inconvenient and most likely will require a password vault to store all of your passwords, it is certainly better than having to deal with an identity thief that gained access to all of your accounts with just one password.
Cybercrime is one of the fastest growing threats to your network and data. You and your staff are the most vulnerable to attack. Training your employees to know what to look for and how to be safe on their computer at work and at home will have many benefits. You will not only minimize the risk of lost productivity from an employee that is distracted while spending hours recovering from a personal cyberattack, you may also save your business the cost and embarrassment of a data breach on your business network.