It’s a digital world and increasingly, as we all live and work online, we leave bytes of information – digital crumbs – scattered across social media that can be used by hackers to attack not just us but bigger targets – our employers.
Yes, the family trips, causes we support, alumni associations we’re part of, and new jobs or promotions we celebrate online are the details determined hackers can, and have, used to target individuals in an effort to compromise the sensitive information of their employers. How? Because what we view as interests, bad actors see as opportunities and vulnerabilities.
In the view of many, cybersecurity or enterprise security tends to focus on what we refer to as data security, but in fact, threats to an enterprise’s security may emanate from a variety of vectors. The trusted insider plays an important and oftentimes overlooked role in the compromise of data. Additionally, a lack of vetting of third party providers and supply chains creates an immense risk to corporations. That’s why at Secure Halo, we focus on six domains: Data Security, Insider Threat, External Business Operations, Internal Business Operations, Mobility, and Physical Security.
But what does this have to do with social engineering and your Facebook or LinkedIn account? As we described in a presentation at the recent Business Insurance Risk Management Summit in New York, it’s the connection to one domain in particular – Insider Threat.
We are all the Insider Threat
Simply put, an Insider Threat is a current or former employee, contractor or someone who has or had authorized access to sensitive data, systems, technology, personnel, or other items of interest. That’s most of us, and that’s why more than 70% of all cyber breaches are attributed to a credentialed or trusted insider.
The greatest number of security breaches occur from negligent employees. How many of us have written down all our passwords and left them in plain sight, given our usernames and passwords to colleagues, or yes, even used “password” as our password?
Malicious insiders, most often a disgruntled or departing employee, may knowingly steal or sabotage systems, IP or other important virtual or physical assets. Compromised insiders have had their credentials compromised or stolen by an outsider for purposes such as espionage, fraud or attack.
If you’re a Compromised or Malicious Insider, you may be susceptible to recruitment through social media or some other electronic medium like chat rooms or message boards. Negligent insiders – most of us – may be targeted through phishing or spear-phishing campaigns. With increasing access to smart phones and the Internet of Things, unwitting or negligent insiders represent the largest pool of potential insiders, and if you haven’t already been targeted by some sort of scam, you’re in the minority.
Social Engineering – How it Works
Social engineering is nothing more than conning you. Most people within organizations don’t want to challenge or create an uncomfortable social interaction so as a result they assume someone belongs or is not out to manipulate them into providing private or proprietary information. Social engineering takes advantage of this by combining human interaction, whether in person or via a virtual medium, with social skills, in order obtain or compromise sensitive data.
An adept criminal or other malicious actor will compile data on you using whatever means necessary. The logical first step is to scour your social media presence to tailor their social engineering exploits. For example, using posted details about travel plans, an individual may pose as a hotel employee to call and “confirm” details such as credit card and room number, or birthdate.
Another example of social engineering is the dramatically increasing problem of Business Email Compromise. Targeted emails that appear to originate from the company executives are sent to an employee with access to company funds, ordering them to make wire transfers. Clever criminals have already gathered intelligence and know the companies work with foreign suppliers or are expanding into foreign markets, so their instructions are not questioned. Such schemes have netted criminals $800 million in the past six months since August 2015, according to the FBI.
Phishing on the Menu
But the most ubiquitous form of online compromise is through phishing and spear-phishing. What’s the difference? Phishing campaigns tend to be exploratory, looking for targets of opportunity. Most people have probably received a phishing email – or hundreds of them. Most of them are directed to your junk box or blocked by your network’s perimeter defenses. Similar to social engineering – or used in conjunction with – phishing is a technical deceit that attempts to manipulate victims into opening files, attachments, or clicking on embedded links in an email as a means to deliver malware. In fact, not only criminals, but nation-states use phishing campaigns to target broad industries of interest.
Spear phishing is much more targeted. Collecting data on the potential victim and using social engineering techniques will increase the likelihood that a phishing email will bypass spam filters and actually reach the end user. Once the email is opened, a variety of malware can be injected. This is how a trusted insider becomes the threat.
So, what does a typical targeting cycle look like? First the attacker identifies employment history, family data, hobbies, etc. to create a profile and identify your potential motivations or vulnerabilities. Next, he tries to build a relationship remotely using a cover that appeals to your preferences. Do you ever accept online connection invites with someone you’ve never heard of, or receive unsolicited offers for jobs or interviews?
Determined hackers also craft tailor-made emails using information gathered on your company, often including actual names of colleagues and a malicious attachment. If you click, which studies repeatedly show many people do, you unwittingly become the Insider and the attacker uses this as a jumping off point to infest your organization’s network.
Cyber Threats About More than IT
Every day individuals are targeted, through mass online schemes and detailed social engineering efforts. As a result, we are all insider threats. Cyber security is not so much a technology problem for your IT department to solve; it’s a people problem. In fact, increasing IT budgets to combat the problem through a technological solution eventually results in diminishing returns on those investments.
We believe the best defense is a proactive and holistic approach to cyber security that includes not only technology, but also involves processes and people. That means changing the culture of our workplace, involving key stakeholders across the enterprise, and creating awareness about how to prevent your digital presence from impacting yourself and your employer.
