By Gene Fredriksen
As we continue to harden our infrastructure to attacks, the hackers have to find a new weak link in our defenses. That weak link is the user.
The use of social engineering is proving to be very effective in giving the bad guys the access they need. While the techniques of spy lore such as blackmail or outright buying the information from those willing to betray their companies are effective, it is cheaper and easier to trick the users into doing things that give the bad guys what they need.
Getting the user to visit a compromised website or a website that appears legitimate when in fact it is not can be quite effective in retrieving sensitive information from an unsuspecting Internet surfer. Getting the user to download something from these sites makes it even easier for the bad guys. The bad guys can also call your users directly and attempt to trick them into providing them with the information they need to compromise your environment.
And don’t forget about your myriad of partners. How many have access into your environment? How many have domain access? With the rush to outsource and even offshore IT services, you now have people with full access to your environment that you have very little control over. If the bad guys can’t break through your defenses they may certainly go after your partners.
How secure do you think the environments are for your partners, especially your offshore partners? While you may have contracts in place to “protect” you, you might want to take a real close look at the fine print. Chances are the monetary damages they will be liable for are very small compared to the actual damages that would occur. Your contacts with your partners should permit an independent third-party audit and penetration test of their environments each year.
Your partners are like folks with passports. As long as the passports are in the right person’s hands there is no problem letting them pass through the gate. Unfortunately, a hacker can steal a partner’s credentials and, like an unreported stolen passport, just walk right through the gate into your domain.
The bad guys know they can effectively prey on unsuspecting users during times of uncertainty. Consider an announcement by a major retailer that their systems were breached resulting in millions of credit card numbers being released. A bad guy could piggyback on this opportunity to contact individuals telling them their card has been compromised and needs to be replaced. They then proceed to extract as much personal information as possible from the person in what appears to be an effort to help the customer resolve a problem.
Customers, concerned over their personal information unwittingly release the very information they are trying to protect. Knowing the email addresses of a few IT folks can also be exploited by the bad guys during a real incident by creating emails with forged sender addresses which is very simple to do and is known as spoofing. The bad guy then simply interjects himself into the troubleshooting dialogue appearing as a fellow employee and begins extracting information from others in the email threads.
Pay attention to the continuing education of your users. Repeat the message often. Find ways such as posters, calendars, mugs, etc., to keep a security message in front of them every day. Ask your partners to do the same. The return on a small training and awareness investment can be huge.
About Gene Fredriksen
Gene Fredriksen, CISO for PSCU, has over 25 years of IT experience, with the last 20 focused on Information Security. Fredriksen held the positions of Global CISO for Tyco International, Principal Consultant for Security and Risk Management Strategies for Burton Group, Vice President of Technology Risk Management and Chief Security Officer for Raymond James Financial, headquartered in St. Petersburg, Florida, and Information Security Manager for American Family Insurance.