Why is our Data still at Risk?

Despite skyrocketing costs/investments aimed at mitigating external and internal threats to our data, why are we still at risk?

The short answer is simple, we are neglecting the weakest link in any security equation. People.  No matter how much we spend in hardware and software solutions People are the weakest link; and our IT spend barely addresses it.

The industry as a whole has spent years trying to address this “People” problem by developing tools, applications, hardware devices, etc., but the bottom line is that once you give someone access, no matter how much technology (dual factor, multi factor, etc.) you implement, they remain a risk and are subject to social engineering attacks.

In an effort to make my point, here are a few social engineering techniques you’d be surprised to learn work more often than not.

1 – Impersonation – This one can be done in person or via the phone. It requires a little bit of homework and maybe a little information gathering but it works.

Example 1: A malicious actor researches the target organization online and finds the name of the IT person in charge with support at the target organization (maybe look at LinkedIn)? Using that person’s name and caller Id spoofing software, a call appearing to be from within the organization to an unsuspecting employee would go something like this:

Malicious Actor: “Hi, I’m working with <Insert IT person> and it looks like we may have had a cyber-attack recently.  I’m calling to walk you through how to change your password. Do you have a moment to do it now? It won’t take long”

Unsuspecting Employee: “Uhhh, sure.”

Malicious Actor: “Great. Ok. go ahead and press Ctrl+Alt+Delete, and then click Change a password.” Pause for a few seconds. “Are you there? What are you thinking of putting? Remember it needs to be a Strong password.”

Unsuspecting Employee: “How about puppies123$?”

Malicious Actor: “I think that will work. Thanks for your help.”

Example 2: A malicious actor approaches the front desk of the target organization wearing a service provider shirt (AT&T, Power Company, Copy/Printer Services), a toolbox, a computer, and some random materials (e.g. printer toner, etc).  The conversation with the unsuspecting employee might go something like this:

Malicious Actor: “Hi, we got a call that there were issues with the (phone lines, printers, whatever) and I’m here to take a look.  Would you please show me to the (phone closet, server room, printer, etc)?”

Unsuspecting Employee: “Uhhh, sure.”

Note: Once in, how hard is it for the malicious actor to install a key logger, access the network, or perhaps even find sensitive information in plain sight?

2 – Getting to Know you – A malicious actor launches an information gathering effort to get to know you. Once he/she knows where you work, where your kids go to school, what Starbucks you stop at on the way to work, and what gym you go devising a plan to get your badge from your gym bag or becoming familiar to you so that he can tailgate you into restricted areas at work are not that difficult.  How much information might a malicious actor be able to collect on you from the following:

  • Online: Facebook, Linkedin, Google – Your family members names, where you went to school, your interests, where you”check-in”, when and where you vacation, what technologies your organization has recently implemented.
  • Public records: Where you live, Your spouse’s name, your lender (home mortgage), birth date
  • Gym/Happy Hour/etc.: – Where you work, your work badge, and if you make it a habit to go out right after work…where your laptop is)
  • Dumpster diving: I know….YUCK! but there are all kinds of invaluable details there. (e.g. account numbers, who you bank with, etc.)

3 – Getting a Job (There or for a Vendor) – depending on the upside, a malicious actor may opt for getting a job with your cleaning service, plant service, etc just to gain access into your work area.  Do you do or require your service providers to background check their employees?

So how do we address this? Well, the answer remains the same. Awareness and Training.  There is no shortcut.  Limit what you put out there about yourself and protect what is already there.