Pop quiz: what’s the biggest cybersecurity threat to your IT system?
A. Inadequate security technology
B. Malicious employees
It might surprise you to learn the answer is often C. In light of the seemingly never-ending string of data breaches and cyber attacks in the news – from Target, to Home Depot, to celebrity photo leaks to the information accessed and shared by Snowden – everyone is asking what we can do differently to prevent attacks in the future. What technology should be in place? What steps can administrators take to protect the network? These are good questions to ask, but there is one facet – perhaps the most important facet – of cybersecurity that can no longer be ignored. The biggest threat to the security of your system is the people who use it.
Sure, there’s the threat of a malicious insider who purposely accesses sensitive information, and inadequate security technology in the face of a constantly changing threat cannot be overlooked – but every day employees are placing systems in jeopardy without ever realizing it. The following common and simple examples of ways hackers are leveraging innocent employees might surprise you, but education and awareness are the first steps to risk mitigation.
LinkedIn profiles. In this day and age, we all have them. Professional social groups on the popular site are growing rapidly in number, and it only makes sense for an IT professional to collaborate with peers online to stay up-to-date on best practices and issues facing the industry. However, these groups are also a ripe and effective breeding ground for outside hackers to infiltrate and cultivate insider candidates to leverage malicious attacks.
How? Let’s say a hacker searches through a LinkedIn group for cybersecurity professionals. From there, the hacker can look through individual profiles to see an employee’s job description. Common job descriptions will list responsibilities for a position – including the specific types of technology an employee works with. Simply by gathering descriptions from a variety of IT professionals at a company, a hacker can effectively map out critical infrastructure, the type of data that might be available, and the hierarchy of the organization.
Once this online research is complete, the hacker can compile a list of ideal and acceptable candidates based on those openly shared resumes and job objectives. Using widely available, free open-source penetration testing toolsets, a hacker now has an easy mechanism to build an attack on a system. Which leads us to the next threat for unsuspecting employees: social engineering.
Headhunters. It’s flattering when you get the email or the call. Someone saw your job experience and skills online and has decided you are a perfect fit for their next open position. Receiving a seemingly innocent call from a headhunter can turn even the most benign employee into an active insider threat to an organization. By asking questions that seem normal in the context of a job search, a hacker posing as a recruiter can get an employee to reveal sensitive information about their IT infrastructure and level of clearance. Once contact has been made, an employee may be more susceptible to trusting communications and links from the hacker that can penetrate the system, or worse, lead to blackmail. Now, not only do employees need to be cautious of who they talk to, but also how they communicate – which drives our next threat: clone sites.
Clone Sites and Fake Links
People often use the same passwords across a variety of accounts. By targeting an employee through LinkedIn or Gmail, a hacker can often gain access to critical systems within an organization that use the same credential information. For example, an employee might receive a professionally created fake email asking them to click a link to change their Gmail or LinkedIn password due to recent security threats. Thinking they are taking the necessary steps to ensure proper security, employees will click on the link that takes them to an identical clone site for log in. Upon entering their credentials, it will redirect them to the real log in site as if it simply didn’t work. Most people won’t notice anything amiss with a one-time failure to successfully log in. Meanwhile, the hacker on the other end of the clone site has gained full access to credentials and sensitive information, which they in turn, use to launch an attack on the employee’s organization.
These types of attacks are increasingly common. Some 48% of respondents to the Ponemon State of Endpoint Risk study reported that spear phishing attacks were occurring frequently within their organization. The same study reports that spear phishing was the most common way an APT attack started, reported by 45% of respondents. Web-based click jacking came in second, at 34%, and was followed at 33% by fraudulently signed code or digital certificates.
So what can we do?
The first step is education. Make sure employees are aware of hacking techniques to prevent harvesting of their credentials. Encourage employees to take advantage of security best practices including two-factor authentication available for social media and personal email sites. The added security of a special code sent to an employee’s mobile phone is often enough of a deterrent for hackers who can’t go through the complicated step of hacking a personal cell phone to gain access.
Ask employees never to click on links embedded in emails – even emails that look completely legitimate. Ask them to always manually type in the web address of the site they are trying to log into. For IT professionals in particular, encourage employees to be wary of calls or emails from recruiters, and to be selective in what information they include in their online LinkedIn profiles. Make sure employees know not to re-use passwords across websites and email platforms.
Finally, employ a zero-trust security model in your IT infrastructure. A zero-trust model like that enforced by Xsuite assumes no trust and always verifies access attempts – thereby looking for the exceptions in behavior that seem out of place. By employing a zero trust cybersecurity solution, credentials are vaulted, stored and rotated – never trusted to individual employees. Out of character behavior on the system will be immediately flagged and can be reviewed with DVR-like playback to see exactly what an employee (or hacker posing as an employee) was doing. Access is only granted on an as-needed basis, which can prevent hackers from elevating existing privileges of unsuspecting employees to access sensitive information.
Click here to explore more about risk mitigation.