Social engineering penetration tests show the many ways in which hackers can easily trick users and administrators into security lapses. It’s vital to your security program that every user and administrator understands these methods, how they can avoid becoming victims, and what to do if they suspect they have been targeted by a spear phishing campaign. The following offers excellent starting points for employee training that will help reduce the likelihood of compromise for your organization.
The Threat Level
New figures from Verizon’s annual Data Breach Investigations Report are out for 2015. Although organizations are getting better at discovering breaches, they’re still well behind the speed at which hackers are finding a way in. The report found that in 60 percent of breaches, the hackers gained entry in minutes or less. Meanwhile, only 25 percent of companies are able to discover these breaches within days or less. And between the time of breach to discovery, which can be months or even years, hackers have control of your data, using it to infiltrate other organizations, or to harvest data about your customers and employees to sell on the black market.
The easiest point of entry for any hacker is a set of valid credentials. And the easiest way to get them is to use social engineering to get users and administrators to simply give them away without knowing it. In a cloud environment, administrators have broad access to every virtual machine in it. Once a hacker has those credentials, there is no limit to the damage possible.
The Damage Done by Social Engineering
We can see the havoc such a breach causes when we observe the breaches at Sony and Anthem. At Sony, early reports blamed the breach on a disgruntled worker. But investigators recently uncovered a phishing campaign that shows employee credentials were used, but employees weren’t the culprits.
Hackers used spoofed Apple ID verification emails to do their dirty work. This led users to a site where they entered their Apple ID as “confirmation.” The hackers then cross-referenced that information to guess at passwords using personal information offered on LinkedIn. It’s unlikely many would associate such a simple action with such a massive data breach. Your employees must be aware that passwords can easily be guessed with even a tiny bit of personal information. Passwords should always be randomized, using password management software to keep them both random and secure.
In the Anthem breach, hackers spoofed versions of the company’s Wellpoint.com domain, used for many internal services including HR, a VPN, and a Citrix server. Employees who clicked through to these spoofed sites made it easy for hackers to pick up their credentials. Here, the quality of the passwords was not nearly as important as in the Sony breach. But two-factor authentication would have been a vital protection if Anthem had used it.
Other Social Engineering Examples
Admins are often more suspicious of questionable emails than the average user, but they are still vulnerable. Hackers have no conscience and will fool admins any way they can, using phishing tactics that pull at the heartstrings and then install key loggers to capture credentials.
The following penetration test, although aimed at a CEO, could easily have tricked an admin as well. By reviewing the CEO’s social media pages, the tester knew the CEO had a family member who had died of cancer. The penetration tester called the CEO, posing as a fundraiser for a cancer charity event and offering a raffle for several prizes he knew the CEO would want based on his social media profiles. The CEO agreed to have the caller email him a PDF entry form, even giving away the version of Adobe he was using. The CEO opened the attachment, installing malware on his machine. The CEO was understandably angry about the methods used in the penetration test, although he clearly did not understand that if an ethical person was willing to go this far to gain credentials, those with a more devious intent would likely go even further.
Your staff needs to understand that hackers will go so far as to monitor death announcements and pose as funeral homes to get an employee to click a link. They’ll use stolen personal information to send official-looking spoofed messages from HR. Because the email contains so much of their personal information, employees tend to trust these messages and click through.
One of the biggest red flags for employees to watch for is an email that elicits an emotional reaction. They should immediately pause and consider if the message was socially engineered. There is always a way to confirm a message is legitimate before clicking a link. For instance, a quick call to HR would confirm if an email was valid. A call to the funeral home would do the same. The CEO mentioned in the penetration test scenario could easily have asked the caller to send the entry form by mail.
If there is an emotional element to any email that asks the user to click a link, it’s suspect. At the same time, workers should understand that any email with a link in it should be suspect. For an Anthem user, for instance, it would have been just as easy to manually open a browser and type Wellpoint.com in the address bar instead of unknowingly being directed to We11point.com.
Shore Up Your Phishing Defenses with HyTrust
The ease with which hackers can fool employees shows why Zero Trust is such an essential strategy. Training employees to spot social engineering is vital to avoiding many attacks, but there will always be a weak link in the armor. When hackers do succeed at social engineering, businesses need tools that trust no one, requiring secondary authorization, two-factor authentication, visibility tools, and alerts on administrator accounts to ensure a compromised account that has broad control over your virtual system does not go unnoticed.
HyTrust’s CloudControl tools ensure your business remains protected, even if an administrator unsuspectingly gives away credentials. It offers two-factor authentication tools and monitoring for greater visibility into where data travels and how it is used. Secondary authorization worlkflows ensure a second person must approve sensitive actions before they can be executed. Contact us today to find out more about how HyTrust can help.