Work, life, and the internet are intertwined these days – it all happens online and in real time. But the personal details we innocently post leave a footprint that can be used by hackers to step on their real target – corporate information and finances. How? Bad actors gather up personal information such as interests, education, and employee promotions to create a profile of their targets, then craft highly sophisticated attacks.
Cybersecurity tends to focus on data security, but threats to an enterprise’s security may emanate from a variety of vectors, including trusted insiders and those who work with them, such as third party providers. That’s why at TSC Advantage, we focus on six domains: Data Security, Insider Threat, External Business Operations, Internal Business Operations, Mobility, and Physical Security.
Where does social engineering and your online profile fit in? As TSC’s Director of Threat Analytics, Craig Guiliano, described in a presentation at today’s Olympus Insurance Fall 2016 Risk Conference in Salt Lake City, it’s the connection to one domain in particular – Insider Threat.
What is Insider Threat?
Insider Threat is a current or former employee, contractor or someone who has or had authorized access to sensitive data, systems, technology, personnel, or other items of interest. That’s most of us, and that’s why more than 70% of all cyber breaches are attributed to a credentialed or trusted insider.
Do you have a written list of all your passwords? Do you ever share usernames and passwords with colleagues? Have you ever used “password” as your password? Negligent insiders – most of us – may be targeted through phishing or spear-phishing campaigns. With increasing access to smart phones and the Internet of Things, unwitting or negligent insiders represent the largest pool of potential insiders, and if you haven’t already been targeted by some sort of scam, you’re in the minority.
Malicious insiders, most often a disgruntled or departing employee, may knowingly steal or sabotage systems, IP or other important virtual or physical assets. Compromised insiders have had their credentials compromised or stolen by an outsider for purposes such as espionage, fraud or attack. If you’re a Compromised or Malicious Insider, you may be susceptible to recruitment through social media or some other electronic medium like chat rooms or message boards.
The Big Con Game
Hackers prey on the fact that most people don’t want to challenge authority or create an uncomfortable social interaction. Social engineering takes advantage of this by combining human interaction, whether in person or via a virtual medium, with social skills, in order to obtain or compromise sensitive data.
First the attacker identifies employment history, family data, hobbies, etc. to create a profile and identify your potential motivations or vulnerabilities. Next, he tries to build a relationship remotely using a cover that appeals to your preferences. Do you ever accept online connection invites with someone you’ve never heard of, or receive unsolicited offers for jobs or interviews?
Determined hackers also craft tailor-made emails using information gathered on your company, often including actual names of colleagues and a malicious attachment. If you click – which studies repeatedly show many people do – you unwittingly become the Insider and the attacker uses this as a jumping off point to infest your organization’s network.
How Social Engineering Is Used
Example 1: Using posted details about travel plans, an individual may pose as a hotel employee to call and “confirm” details such as credit card and room number, or birthdate.
Example 2: Business Email Compromise in which targeted emails that appear to originate from company executives are sent to an employee with access to company funds, ordering them to make wire transfers. Clever criminals have already gathered intelligence and know the companies work with foreign suppliers or are expanding into foreign markets, so their instructions are not questioned. Such schemes have netted criminals a billion dollars since 2015, according to the FBI.
Example 3: Phishing attempts to manipulate victims into opening files, attachments, or clicking on embedded links in an email as a means to deliver malware. In fact, not only criminals, but nation-states use phishing campaigns to target broad industries of interest. Most people have probably received a phishing email – or hundreds of them. Most end up in your junk box or are blocked by your network’s perimeter defenses.
Example 4: Spear phishing is much more targeted. Collecting data on the potential victim and using social engineering techniques will increase the likelihood that a phishing email will bypass spam filters and actually reach the end user. Once the email is opened, a variety of malware can be injected. This is how a trusted insider becomes the threat.
Think Beyond Data Security
Each day individuals are targeted, through mass online schemes and detailed social engineering efforts. As a result, we are all insider threats. Cyber security is not so much a technology problem for your IT department to solve; it’s a people problem. In fact, simply investing in technological solutions eventually reaches a point of diminishing returns.
We believe holistic cyber security addresses not only technology, but also processes and people. That means changing the culture of your workplace, involving key stakeholders across the enterprise, creating awareness, and providing training. A cross-departmental and proactive approach is the best way to defend against the possibility of your digital presence impacting yourself and your employer.