From the moment any data system comes online, it is […]
Of all the threatening hacker groups out there, one of the […]
As we continue our series of articles on state-sponsored cyberattack groups, […]
See how securing your environment with Ntirety’s Comprehensive Compliant Security solution can save you money with our ROI Calculator.
Overview This event technology company provides customers with best-in- class […]
OVERVIEW What started as a niche company to bridge two […]
Michigan Mutual is a mortgage broker founded in 1992 by […]
In this episode, we talk with Tony Scribner of Ntirety, […]
Emil Sayegh is a well established executive in product and […]
Today we’ll be talking about hybrid cloud, security, and Maslow’s […]
Chances are you are keen to the basic sort of social engineering attack. Consider social media as a subset target of social engineering attacks where things like phishing, smishing, and unexpected phone calls are all part of the spectrum of threats. Last year, a data breach at the Ritz in London that evolved into vishing (voice phishing) attacks on high net-worth hotel guests demonstrated how conniving cybercriminals have become in this social engineering scam. Some of these attacks can get very sophisticated and convincing, but it always comes back to manipulation of the human mind. Information is one of the core prized assets of any organization (the same could be said about an individual). Therefore, the goal of these social attacks is to create mental lapses that cause security mistakes and disclose sensitive information by gaining trust and then using that trust to launch another attack. Social engineering attacks alone are not very damaging on their own, but they are always combined with another form of subterfuge to do the dirty work.
Think about this scenario: it may seem like a fun game to share your birthday or submit answers to a quiz you see in your social media channel, but that is exactly the kind of innocence that social attacks prey upon. Answers collected from a scam like this could open the door to an impersonator on a phone call, password recovery, or give a hacker a leg up on things to use to crack secure passwords. Data is everything.
Social engineering attacks are a component of practically every modern cyberattack today. Most recently, Samsung, Microsoft, Nvidia, The Ritz, and Morgan Stanley joined a long list of major profile companies that have been breached by means of social engineering. Billions have been lost through countless combinations of:
· Credential stealing
· Purchasing and exchanging cookies and credentials in public forums
· Targeting privileged employees including support, executive, and technical staff
· Privilege escalation
· Phishing in emails, links, and pages
· Fake messages and pop-ups
Social engineering attacks are constructed on facets of human behavior and response. The most successful attacks count on near scientific understanding of what happens when fear is used as a tool, or a false urgency is introduced – these are moments where rash decisions are made. We are all human and we are all therefore, targets.The organization must decide what protections it can leverage to detect and minimize harm to sensitive data.
The most recent social engineering tactics have moved beyond conventional tactics. To look at one example, in the recent Lapsus$ incidents the breach was extremely non-technical – in some cases insiders were contacted and convinced to simply turn over privileged credentials for small sums of money. Whether it was just for kicks, financial exchange, or some false sense of anti-corporate justice, the undermining of protections and privilege is more than what many companies can handle. While this group appears to be facing a dismantling at the moment, a bigger issue is whether the success of these campaigns will inspire other groups to continue using similar tactics.
If preventing social engineering attacks sounds dire, especially knowing the human element will always be the most fallible component and that most attacks are commonly spearheaded with social, that position is difficult to deny. These threats however are only part of the cybersecurity and information security spectrum and by combining technical controls and monitoring with continuous security awareness, these threats can be effectively mitigated. By building a multi-layer protection system around sensitive information and privileged accounts, the most common attacks can be prevented. Employee training is critical, and it should not occur just once a year. It should be a continuous program of not only security education, but also ethical phishing tests to understand the soft spots in your organization.
In addition to a solid base of updated security practices, organizations are looking to address potential oversights. For example, in Zero Trust, details matter, and you trust no one. You validate everything and everyone, everywhere. Encrypt everything, everywhere. That is one strong approach. You can further use security software and appliances that have anti-phishing, sandbox, and additional prevention capabilities. Many organizations have started to pay attention to data access design in everything from SharePoint to messaging systems. This can help prevent information leakage.
The specter of social engineering threats is extensive and difficult to protect against. Attackers can come from anywhere, in combinations of traditional mail, email, links, phone calls, SMS messages, social media pages, and more. This is one of the reasons why the benefits of a comprehensive security strategy are so critical. With robust monitoring and alerting in place, anomalous behavior, privilege escalation, unknown sources, and sign-in discrepancies are the sort of triggers that can alert the organization and stop a chain of events that often begins with simple social engineering. The practice of comprehensive security also ensures that an organization can efficiently (and safely) return to normal in the event of a major security incident.
This article was originally published in Forbes, please follow me on LinkedIn.