cybersecurity whitepaper - ivdesk...microsoft. they say that they’ve detected viruses or other...
TRANSCRIPT
CYBERSECURITYWHITEPAPER
Social Engineering is, at it’s most basic core element, the manipulation of people in order to get them to perform actions or give up data that they, under normal conditions, would not. Anything and everything from usernames and passwords to your Internet service provider and brand of security system are of use to criminals looking for a way into your company.
We’re going to break down for you here a few of the most successful ways these nefarious types can exploit you and your staff to attain the information or access they’re after and what you can do to protect your company today.
WHAT ISSOCIAL ENGINEERING?
HOW TO IDENTIFY THE DAILY THREATS TO YOUR FIRM AND PROTECT AGAINST THEM
ivdesk.comSocial Engineering 3
Norton™ defines spear phishing as, “an email that appears to be from an individual or business that you know. But it isn’t It’s from the same criminal hackers who want your credit card and bank account numbers, passwords, and the financial information on your PC.1
Spear phishing continues to effectively thrive due to users’ curiosity to ‘see what happens’ or to ‘see where it goes.’
Symantec™ reported, in 2015, Spear Phishing attacks rose 55%2
1. Spear Phishing: Scam, Not Sport – http://us.norton.com/spear-phishing-scam-not-sport/article2. Attackers Target Both Large and Small Businesses – https://www.symantec.com/content/dam/symantec/docs/infographics/istr-attackers-strike-large-business-en.pdf
United States: Phishing For Corporate Dollars: The Emerging Global Threat Posed By Spear Phishing And Business Email Compromise – http://www.jonesday.com/phishing-for-corporate-dollars-the-emerging-global-threat-posed-by-spear-phishing-and-business-email-compromise-09-23-2015/
Educating employees is key to keeping your firm from being easily exploited by these attacks.
Have a plan in place to outline how employees should deal with a spear phishing attack should they suspect one.
Continue to enforce and update security procedures and policies as your company grows and threats evolve.
Spear Phishing works most of the time because people click simply out of curiosity. They believe it is legitimate and want to see what happens.
BY THE NUMBERS
SOURCES
IN THE NEWSWHAT YOU CAN DO
SP3@R PHISH1NG 101
IVDESK’S INFORMATION SYSTEMS MANAGER, ERICK JENSEN, SAYS
ivdesk.comSocial Engineering 4
Baiting really hit its stride with CDs and DVDs in years past but has become even more popular with social engineers in recent years as the use of USB drives has become more commonplace. Their ease of use and accessibility to nearly any system makes them a desirable resource for crooks.
Typically, a USB drive is left behind in an office or nearby public setting. When the unsuspecting mark connects it to their computer to find out who it may belong to or what may be on it, they are infected with malware that gives the offending party the access they were after.
Companies believing they have already been compromised: 47%1
23 Social Engineering Attacks You Need To Shut Down – https://www.smartfile.com/blog/social-engineering-attacks/
Social Engineering is the real issue – http://www.dyrand.com/2016/09/social-engineering-real-issue/
Half of people plug in USB drives they find in the parking lot – http://www.theregister.co.uk/2016/04/11/half_plug_in_found_drives/
Do not allow USB drives to be used in your office, if possible.
Train employees to transfer and send files through approved protocols.
Test employees routinely to be sure security remains a priority.
If you must use USB drives, have 1-2 people assigned who can establish authenticity
I was recently in a few medical buildings and at one point I was left alone. All of the USB ports were exposed, and most likely active. Someone could plug in a USB drive and install a Wi-Fi keylogger or malware, any of those could give you full access to
that computer. It’s not difficult to get malware inside somebody’s network once you’re inside.
BY THE NUMBERS
IN THE NEWSWHAT YOU CAN DO
IVDESK’S CISO, BILL SORENSON, SAYS
USB B@IT1NG
1. New IT Security Survey Reveals Nearly Half of Companies Assume They Have Been Compromised – http://isyourdatasafe.com/pdfs/8-Nearly-Half-of-Companies-Assume-They-Have-Been-Compromised.pdf
SOURCES
ivdesk.comSocial Engineering 5
The Federal Trade Commission warns, “They call, claiming to be computer techs associated with well-known companies like Microsoft. They say that they’ve detected viruses or other malware on your computer to trick you into giving them remote access or paying for software you don’t need.”1
These con artists relentlessly prey on your insecurities of computer knowledge and fear of viruses and malware. Don’t be afraid to question them.
Symantec™ reported rise in tech support scams this year: 200%2
Feds shut down tech support scammers, freeze assets – http://www.computerworld.com/article/3097576/malware-vulnerabilities/feds-shut-down-tech-support-scammers-freeze-assets.html
Norton Antivirus tech support scam lands Symantec reseller in hot water – https://www.grahamcluley.com/norton-antivirus-tech-support-scam-lands-symantec-reseller-hot-water/
Don’t give control of your computer to anyone you haven’t initiated contact with.
Do not rely on Caller ID.
Never provide your password or credit card information to someone who calls you.
Hang up if it seems suspicous.
Don’t let anyone connect to your computer, ever, unless it is a trusted, known partner or reputable service provider (Apple and Microsoft never call). Put them on hold, get them to call you back, do things that make their job of getting at you difficult
because this will only stop when it becomes unprofitable.
BY THE NUMBERS
IN THE NEWSWHAT YOU CAN DO
IVDESK’S INFORMATION SECURITY MANAGER, ERICK JENSEN, SAYS
FAK3 SUPP0RT C@LLS
1. Tech Support Scams – https://www.consumer.ftc.gov/articles/0346-tech-support-scams2. Tech support scams target victims via their ISP – http://www.bbc.com/news/technology-36084989
SOURCES
ivdesk.comSocial Engineering 6
Shoulder Surfing is the act of peeking over someone’s shoulder to obtain their password or any other type of sensitive information or access. This technique is often used to collect credit card numbers, ATM PINs, and various forms of PII (Personally Identifiable Information).
This type of assault can be particularly difficult to detect or defend against because it requires no training or equipment and can be easily implemented by nearly anyone. It might not seem like a dangerous threat but it should be taken as seriously as any cyber attack on your firm.
UK commuters who admit to spying over someone’s shoulder: 72%1
Visual hacking is real. – http://www.3m.com/3m/en_US/privacy-screen-protectors-us/visualprivacy/visualhacking/?WT.mc_id=www.3Mscreens.com/visualhacking
What is Shoulder Surfing? – https://www.identityforce.com/blog/what-is-shoulder-surfing
The threat of shoulder surfing should not be underestimated – http://www.csoonline.com/article/3021882/security/the-threat-of-shoulder-surfing-should-not-be-underestimated.html
Be aware of who is around you when accessing private information in public places.
Close or hide sensitive information when someone approaches you at your desktop computer.
Use a privacy screen to limit what snoops can see.
Watch out for cameras on smartphones and tablets being used around your screens.
With so many people who are road warriors, working at airports, coffee shops and bookstores, many people don’t pay attention to their surroundings. Even the icons on your desktop, the version of software you have, whether you use Windows or
Apple computers, all those things are useful pieces of information.
BY THE NUMBERS
IN THE NEWSWHAT YOU CAN DO
IVDESK’S INFORMATION SECURITY OFFICER, ERICK JENSEN, SAYS
SH0ULD3R SURF1NG
1. New survey highlights risk from ‘commuter snoopers’ – http://www.visualdatasecurity.eu/2013/10/new-survey-highlights-risk-commuter-snoopers/
SOURCES
ivdesk.comSocial Engineering 7
Coffee/Smoke Breaks are a great opportunity to chat and catch up with co-workers. Unfortunately, they also create abundant opportunities for social engineers to find their way into your company by sidling up to unsuspecting employees that may presume, or be tricked into thinking, that the imposter is a part of the team.
Data breaches that come from internal sources: 63%1
10 Common Social Engineering Tactics Used by Attackers – http://www.business.com/internet-security/10-common-social-engineering-tactics-used-by-attackers/
Social Engineering: The Basics – http://www.csoonline.com/article/2124681/leadership-management/security-awareness-social-engineering-the-basics.html
10 social engineering exploits your users should be aware of – http://www.techrepublic.com/blog/10-things/10-social-engineering-ploys-your-users-should-be-aware-of/
Don’t be afraid to ask for ID.
Remember, friendliness/familiarity/distress doesn’t equal trust.
Practice prevention skills.
Don’t discuss private company information on breaks
Don’t lend your phone to strangers, offer to make a call for them instead
While everybody is looking down at their phones they don’t pay attention to the people around them. In that environment, walking around with your phone out taking pictures is a completely acceptable behavior. It’s not difficult to just take a picture of
somebody’s exposed badge.
BY THE NUMBERS
IN THE NEWSWHAT YOU CAN DO
IVDESK’S INFORMATION SECURITY OFFICER, ERICK JENSEN, SAYS
C00FF33 BR3@KS
1. 2014 Data Protection and Breach Readiness Guide (Online Trust Alliance) – http://isyourdatasafe.com/pdfs/1-2014-OTA-Data-Breach-Guide.pdf
SOURCES
ivdesk.comSocial Engineering 8
Spoofing is when hackers are able to digitally impersonate a known colleague’s email, a client’s phone number, or even a trusted IP. So well, in fact, that it has become an extremely lucrative way for them to extract information, access and authorization in a nearly imperceptible manner.
This is arguably the most technically proficient technique used in social engineering and it can be confusing for the average person to recognize they are being attacked.
Email fraud from domains that aren’t owned by brands: 70%1
Most Brokerages and Advisory Firms Targeted by Cybercriminals – http://www.wsj.com/articles/most-brokerages-and-advisory-firms-targeted-by-cyber-criminals-1422993463
Over half of world’s top domains weak against email spoofing – http://www.zdnet.com/article/over-half-of-worlds-top-email-services-weak-to-spoofing/
Create Sender Policy Framework (SPF) record.
Create Domain-based Message Authentication, Reporting, and Conformance (DMARC) record.
Require Transport Layer Security (TLS).
Frequently review spam policies and filters.
With the ability to spoof email, caller ID and generate new numbers on the fly, even text messaging from a spoofed number has become the new way of spamming, or phishing, or hacking. They want you to send sensitive information, but don’t forget
that text messages aren’t encrypted. Never give any information across a text message—this is a process every company should put in place immediately.
BY THE NUMBERS
IN THE NEWSWHAT YOU CAN DO
IVDESK’S INFORMATION SECURITY MANAGER, ERICK JENSEN, SAYS
SP00F1NG
1. 2014 Data Protection and Breach Readiness Guide (Online Trust Alliance) – http://isyourdatasafe.com/pdfs/1-2014-OTA-Data-Breach-Guide.pdf
SOURCES
ivdesk.comSocial Engineering 9
A Master of Disguise can easily adapt to bring to life any type of persona to get what they want from you. Couriers, former employees, business owners, system administrators, off-site management, service workers and a friendly stranger in distress are all tools in their arsenal.
Born from the classic “confidence men,” this long-established ruse is still in practice because of its enduring success rate, striking at the heart of our humanity.
People claiming knowledge of a scam helped them avoid it: 80%1
Frank Abagnale Biography – http://www.biography.com/people/frank-abagnale-20657335#impersonations
3 Low-Tech Threats That Lead to High-Profile Breaches – http://www.cio.com/article/2860175/data-breach/3-low-tech-threats-that-lead-to-high-profile-breaches.html
America’s Best Jewel Thief Is An 85-Year-Old Woman – http://www.thedailybeast.com/articles/2016/01/23/america-s-best-jewel-thief-is-an-85-year-old-woman.html
Stick to your security policies, no matter how charming they are.
Slow down and don’t let yourself be rushed.
Be observant of your vendors and regular office visitors.
Never disclose PII or secure information without verification.
Imagine if someone calls your office and says, “Hey, I’m from Starbucks Coffee, and I was just wondering who you use for a coffee service? Oh, you use Caribou? Okay, great.” There’s a lot of ways to casually learn that information. So when this guy
shows up at your office, he delivers Caribou Coffee and while he is in your office he installs malware.
BY THE NUMBERS
IN THE NEWSWHAT YOU CAN DO
IVDESK’S INFORMATION SECURITY MANAGER, ERICK JENSEN, SAYS
M@ST3R 0F D1SGU1S3
1. 5 Myths About Scams – http://www.bbb.org/globalassets/shared/media/truth-about-scams/BBB-ScamProgram-Infographic.pdf
SOURCES
ivdesk.com | 612.213.2794
We hope you’ve gained a clearer understanding of the types of social engineering attacks your company is vulnerable to every day and some of the steps you can take to make sure your firm isn’t exploited.
At IVDesk, we take every threat to our customers’ data seriously and are dedicated to helping educate and protect our clients from social engineering attacks. We are committed to equipping our clients and their employees with the tools and knowledge to safeguard themselves from the nefarious attempts of social engineers.
Tell us about your current IT systems and let us show you how our complete cloud approach can work for you.