Mitnick In The News
Hackers Aren’t Trying to Hack Your Systems, They’re Doing this Instead…
Jan 31, 2017 - netstar, by Mit Patel
t’s easy to assume your company will be safe with security systems in place but this view just won’t cut it against the latest breed of hackers.
They aren’t trying to break down your Infrastructure at all, in fact – they’ve got a far simpler and more effective method, one they’re using to dismantle thousands of companies across the world every month.
“What is this method!?” I hear you cry.
Well, to quote Kevin Mitnick, once the world’s most wanted hacker: “If an attacker wants to break into a system, the most effective approach is to exploit the weakest link – people.”
The Element of Human Error
Ultimately, no matter how secure your network, there will always be one employee who, through a combination of bad luck and poor security awareness, lets through an attack.
This element of human error is what hackers capitalise on, in what’s become known as “social engineering”. The term, originated by Mr. Mitnick, means a hacker needn’t usually even break into a system as most of the time an employee will unwillingly invite them right in!
The rise of social media has fed right into the effectiveness of social engineering. The billions of interactions we make every day on Facebook, LinkedIn and other platforms has made it normal to us, and even brought us entertainment, when we receive weird requests from strangers. Yet this nonchalant attitude has become a danger to the workplace.
It’s an unfortunate reality of our social media-driven existence that an employee is now more likely to not only open a suspicious email or take an odd call but carry out its request, and this is exactly why social engineering has become so effective.
So, what is Social Engineering?
Simply put, it’s a hacker combining their technical skills with the coercion needed to break a member of your workforce and gain entry to your systems.
It can be simple and done without notice or it can be forceful and frightening. It can be a single act or one step in a complex scheme that only becomes apparent months later.
However it happens, social engineering capitalises when concentration lapses. It picks on an absent-minded executive or on an eager-to-please new assistant, with devastating results.
There are a number of ways hackers use social engineering – let’s cover each variant before we consider their prevention. Often your employees won’t even know what’s happened, so let’s make sure you do!
Phishing is when a hacker emails you while disguised as a company or colleague and tricks you into sharing personal information. 90% of the 294 billion emails sent around the world each day are viruses so it really is just a matter of time until you are affected.
The modern phishing email looks exactly like the real deal and can be very difficult to spot. This could be a general email sent to your whole team or a specific email (known as Spear Phishing) that targets a vulnerable newbie or specific executive.
It’s by no means a new technique yet social media’s ever-growing range of formats makes it easier than ever to catch you out with requests to update your password or to tag yourself in photos. See here - Our infographic with the top red flags to look out for!
Hackers are not always introverted nerds and can also be slick telephone con artists. By calling up a member of your team and pretending to be a fellow employee or related company, a hacker can obtain information that enables them to access your network or more specific data.
Some will call as many members of your company as possible to offer IT maintenance in the hopes one of them authorises their entry. Others will pretend to be the boss and demand an urgent bank transfer is made.
Hackers can also observe what websites are visited by your company more than any other and, once they are sure of a favourite, infect that website with malware. Anyone who visits the affected website will be infected by the virus, which will then continue to cripple your network from the inside.
This effective technique has been seen in a number of high-profile cases including a breach of Facebook and Apple achieved by infecting an iPhone Development forum.
Without a doubt the most dreaded outcome of social engineering, Ransomware is harmful software installed on your network that the hacker will only remove once you’ve paid them a “ransom.”
And of course, once you fork over their demands, be it money or data, there’s no guarantee they will release you. Then they have even more of your information that allows them even more access. It’s a brutal reality experienced by many companies – the best prevention is awareness!
It could be anything from a routine maintenance email from your recognised provider to a downloadable voucher for a restaurant – as soon as you authorise a download, the ransomware begins installation. And from there, it only spreads.
More like the “brute force” attacks of old, these work by a group of computers simply overloading your network with traffic so that you temporarily lose access.
When you regain access, your network may have been visibly pillaged. On the other hand, everything may look the same but your info has been copied for later use.
If you really want to feel like you’re in a Hollywood film, then consider this last approach, which features real-life intrusion of your systems. Tailgating commonly involves a hacker impersonating a deliveryman or other sort of workman, who then enters your building and conducts his hack from inside.
While easily prevented in larger companies, SMEs without strict entry card processes can fall victim to this surprisingly easily. All it takes is the gift of gab and the confidence that some hackers have in droves.
In this well-documented case, security consultant Colin Greenless was able to perform this technique and set up office within a FTSE-listed financial firm, where he then worked for three days without notice, as well as gained the passwords of 17/20 employees he tested.
The Future of Social Engineering
Social engineering has a worryingly bright future because of ever-growing reliance on social media and the constant threat of human error.
Increasing relevance of social media in banking, health-related and other personal services make our accounts more valuable targets than ever, and the takeover of these accounts will only become more and more profitable.
These are now becoming tools of vital function as well as communication, which in combination with the Internet of Things is sure to cause chaos. According to SC Magazine, the arrival of the Internet of Things in combination with ransomware is going to cause problems we can’t even imagine right now – so there’s that to look forward to!
What can you lose? Well, everything really. You could lose personal information in cases of identity theft, as well as personal credit card details in financial heists, affecting anyone from just yourself to the entire workforce and their families.
You could also lose vital company information, product designs, operations processes and any other internal plans shared across your network, which may threaten your reputation and market advantage.
In May 2018 the introduction of the General Data Protection Regulation (GDPR) will change the landscape further, making the prevention of file-based attacks more urgent than ever for businesses with operations within the EU. It improves heavier penalties on businesses that fail to protect their data, as well as potential for disclosure threatening revenue further.
Of course, this means you need to prepare against any attack with even more focus.
What can you do? There is a lot you can do to combat your company’s resistance to social engineering. However, as you guessed, these efforts are only as good as your least vigilant employee.
It doesn’t seem like a real threat until it happens, and then you will regret not having done something sooner. Here’s a couple of tips to hold off hackers and strengthen your workforce at the same time.
- Change passwords often – Make sure you enforce a password-changing calendar that requires both frequent changing and complex construction, say every three months.
- Encrypt! – So many SMEs neglect to encrypt their sensitive information, even when sending it outside of their network, when it is a vital part of effective company security.
- Antisocial media – Lock down all social media privacy settings if used at work. Do the same with your broswers to anonymise data.
- Patch like mad – It is the constant updates on all software that leaves windows for ransomware and other evils to get into your network. Update your systems rigorously and you will minimise this likelihood.
- Unknown? Delete! – We’ve all opened an unknown link or file while in a rush but enforce a zero-tolerance policy on this poor practice and breaches will be far less likely.
- Approval needed – Enable your network so that only company-approved devices can initiate access. This will not only protect your sensitive info but ensure existing viruses on company devices do not spread further.
- A Little Common Sense – At the end of the day, this is what it really takes to prevent a majority of social engineering attacks. Don’t recognise the sender? Already sent those details? Saw the CFO just an hour ago? Trust your gut and check before you act!
As Mitnick says: “You can’t download a Windows update for gullibility!”
Prevention through Awareness
Teaching your team about the dangers of social engineering is what will make the biggest difference. They must be prepared for anything from an iffy customer service call to full-blown CEO impersonation. With simple training your employees can become security-savvy and clued up on social engineering, able to spot signs of a potential threat and respond accordingly.
Work closely with your IT leaders to run cyber-security workshops and sit in on them, too! By educating your employees and yourself, filtering your emails and enforcing data management, you best-equip yourself against any attack.