Mitnick Security Blog - Cybersecurity News and Articles

The Top Hacking Techniques All CISOs Should Educate Remote Users About

Written by Mitnick Security | Aug 11, 2020 5:15:00 PM

There’s no arguing that 2020 was a challenging year for an overwhelming number of industries across the United States. The COVID-19 pandemic forced many companies to explore new business models, both in product and service offering and in the internal structure of operations.

As a result, a number of corporations have turned to remote operations, allowing their employees to work from home for elevated health and safety. In fact, major corporations like Facebook are now allowing employees to work from home permanently as a result of the pandemic. Others are making the remote switch out of need to remain open, while restrictions prevent full operation. 

The hacking community is eating this up. While corporate environments offer multiple layers of security, employees home networks often do not. Believe us, bad actors are all-too-aware of these fresh vulnerabilities to exploit, targeting remote users as a way into your corporate databases.

As a CISO, it’s crucial to understand that there’s a whole new threat landscape out there— endangering your company’s private data and integrity. Let’s explore some of the top hacking techniques hackers are using right now to exploit your remote employees, so that you can make some important changes and better empower your at-home staff. Luckily, there are only two major threat buckets we recommend considering when working from home.

Social Engineering

Your staff members are without-a-doubt your company’s biggest vulnerability when operating remotely. Even with all the right technology safeguards, all it takes is for one employee to be fooled by a bad actor posing as a trusted source and a hacker has found a way in.

Let’s learn more about the most common social engineering tactics:

Phishing

One of the most common forms of social engineering is phishing, whereas a hacker attempts to get your employee to click or download a malware-injected attachment to infect a company device (or personal device that is connected to your tools or servers) by posing as a trusted source. It could be a spoofed email address that looks awfully close to a management head’s email asking a lower-tiered staff member to take an action. Or it could be a look-a-like URL that prompts you to download a seemingly normal looking PDF. 

Management like yourself are not excluded, in fact, many hackers will target high-permission leaders or senior employees in an act known as “whaling,” knowing if they take out the big fish, they gain even deeper access to the goods.

No matter the method, the means are usually the same. By clicking on the infected link or downloading the malicious file, malware allows the hacker to make their way through the staff member’s device to eventually crack your corporate drives. Learn more about the latest phishing email scams here

Vishing & Smishing

Not only are bad actors attacking your email, they’re also targeting your voicemail and text message inbox. Bad actors can leave convincing, high-urgency voice memos asking your staff to take action. While working from home, this is even scarier, as your staff may be more inclined to find a virtual message like this normal while out of office.

Oftentimes, the bad actor will weave a false story or situation (called pretexting) to convince your remote staff to share confidential information. Check out this other article and included video for some prime examples of phone and text message phishing ploys from cybersecurity expert Kevin Mitnick.

Baiting & Quid Pro Quo

When you want to catch a fish, what do you do? You string some bait on a hook and cast a line. Malicious actors can trick your employees by offering them a tempting bait— for instance, a free video download that infects their device with malware. Warn your employees to think before clicking on too-good-to-be-true offers, because chances are, they are.

A quid pro quo attack is similar to a bait attack, except the bad actor typically offers a service versus a product. This may be an email that’s offering a free trial to a new product, despite the fact that your employee never requested this information. A recent example of this is impersonators of the U.S. Social Security Administration (SSA), asking users to reconfirm their social security number to steal their identity.

Routers & Wireless Access Devices

Another big way bad actors get in is through your remote employee’s unprotected routers and wireless access devices. Every time an employee logs onto their company devices from home, they are using personal routers to connect to the internet. That’s even if they use a company-vetted device and don’t log in using their own private smartphone or technology. 

But what do you do? CISOs are responsible for ensuring that all corporate devices are updated regularly, applying the latest security patches. From there, be sure to provide and enforce the use of corporate, secure storage solutions, which you can learn more about on our remote users blog.

We also recommend having your staff use a virtual private network (VPN) when working remotely, which sets up an encrypted connection to a trusted network. That means they’re always working on a secured web connection, even if they login at a cafe or anywhere on-the-go.

Tips for Educating Your Staff

Looking for some key takeaways? Here are a few quick yet impactful things to keep in mind when informing your employees of the current remote threat landscape:

  • Don’t provide a long, technical list of threats. Just like tech-talk doesn’t translate to the C-Suite, your staff will likely struggle to decipher technical jargon (if they even read through it to begin with!). Keep your rules as simple and easily understood as possible to ensure your staff knows exactly what you’re asking of them.
  • Share examples from the real-world. Most people need to see tangible examples to truly understand something. Find real-life stories to demonstrate remote threats, either in informative articles or easy-to-watch videos. Your staff will better grasp and retain the lesson if they understand how the attack could unfold.
  • Film a video walkthrough yourself. Instead of emailing your staff a flat and uninteresting list of new remote work regulations, shoot a video of yourself explaining the new policies and possible threats they may face. Again, this doesn’t have to be a technical overview. Use examples and narratives everyone can relate to and be crystal clear on what is and isn’t acceptable when working from home.
  • Invest in professional security awareness education and training. If you don’t feel confident explaining the threats yourself, let a professional take the reins. Some companies offer live hacking demonstrations to reveal just how easy it is for a versed cyber criminal to fool your remote workers. If you truly want to see how your staff would act in the face of cyber danger after attending awareness seminars, you have to put them to the test. Many reputable cybersecurity experts offer full online courses, with graded exercises and exams to score your staff’s preparedness for an attack.

 

Remote Workforce Cybersecurity Training

Curious to learn more about endpoint security when working from home? Check out our article on remote work considerations.

If you think your company could benefit from cybersecurity training or testing, explore our social engineering strength testing services, today.