search.noResults

search.searching

note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
The c y b e r t h r e a t and s o c i a l e n g i n e e r i n


I


t is hard to get away from the presence and scale of the cyber security threat.


The mainstream and social media are full of stories of companies who have been hit by a data breach, but there are many more you will never hear about.


TalkTalk and Sony hit the headlines worldwide in 2015, but the US National Guard, Harvard University and Blue Cross Blue Shield also lost the personal data of millions of their employees and customers. Beyond this are literally thousands of smaller organisations who have suffered data breaches that they will never make public for fear of the impact on their reputation.


Here in the UK, government figures from the Information Security Breaches Survey 2015 indicate that the average cost of the most severe online security breaches for big business ranges from £1.5 to £3.1 million and for SMEs the cost averages from £75,000 to £311,000. The same survey also shows that 90% of large organisations and 74% of SMEs reported they had suffered an information security breach during the year.


The changing nature of the threat


So the scale of the threat is vast and growing, but even more important for corporate security professionals to note is that the nature of the threat is also changing. Firstly, as the profits from cyber crime have grown, so it has attracted the attention of more organised groups with more human resources available to them, including governments, organised crime and even terrorist organisations. Secondly, as the technology response to the cyber threat has become more sophisticated, with robust firewalls and virus monitoring software now standard, cyber criminals have had to find new ways past corporate perimeter security.


The increased difficulty of breaching perimeter security and the increased human resources available to cyber criminals have combined to produce a new point of attack. This point of attack is focused on the weakest link in the corporate security chain, human beings rather than technology. The UK government data confirms this, pointing to 75% of large businesses and 30% of small business which have suffered staff-related data breaches in the last year.


This is what used to be known as the “insider threat”, but that inadequate terminology suggests complicity by employees in cyber


2 © CI TY S ECURI TY MAGAZ INE – SUMME R 2016


crime, which is usually not the case. Instead, a more appropriate new term has been coined to describe the threat, which is “social engineering”. Social engineering has been described as an attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. It is also defined as the art of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques.


Social engineering techniques


There are a number of common social engineering techniques employed by cyber criminals. These include:


Spear phishing – This is probably the most common technique and is a more sophisticated version of the well-known phishing scam, where speculative e-mails are sent to large numbers of people, pretending to be from legitimate organisations, in the hope of tricking them into parting with sensitive data. Spear phishing targets known companies and individuals and first builds up a picture of them from social media, or other open sources, before seeking to extract information about their passwords in order to access a corporate data network.


This can be in the form of an e-mail message or even a remote attempt to guess a password based upon researched personal information such as dates of birth and names of family members. The attack may begin by hacking into a less secure system such as private e-mail or Twitter, but the real target is the employee’s corporate network.


Pretexting – This is a variation on phishing in which a sophisticated scenario is invented to engage a targeted victim in order to trick them into disclosing confidential security data. This engagement can often take the form of a phone call that pretends to be from their bank or a law enforcement agency, or even from their company helpdesk. Like spear phishing, this attack will usually involve some legitimate personal data that has been obtained elsewhere, which helps to create confidence in the victim that the call is genuine.


Baiting – This is a less complicated trick that relies on physical media, such as a USB stick or floppy disk loaded with malware, which is left in a location that is likely to be found by employees of the target company. This could be a smoking area, elevator, bathroom or even


www. c i t y s e cur i t yma ga z ine . com


parking lot. A corporate logo or interesting label, such as “2015 salary details”, will increase the apparent legitimacy of the disk and sooner or later someone will pick it up and insert it into their disk drive. Once this happens the malware will immediately be installed on the system and the job is done. Compromised media can also be sent through the post to an intended victim.


Tailgating – An even more primitive form of attack can be via the device of tailgating. This is where an attacker, seeking entry to a restricted area via say an unattended electronic gate, simply walks in behind a person with legitimate access credentials. This ruse can be supported by the attacker carrying papers or a coffee and wearing shirtsleeves and no jacket, as if they had just popped out. If challenged they may even present a fake access card, without actually using it.


Once inside the premises the attacker will seek out a vacant desk and insert a disk into it or look for evidence of passwords lying around. A more complex version of this full frontal attack is someone entering the premises acting as a courier or a cleaner, or even an actual temporary employee who has been recruited for just this purpose.


Mitigating actions


So, what can be done from a corporate security perspective to protect your company against the new social engineering threat? Here are six good practice security tips that can help to mitigate, if not eliminate, the threat:


• Train your employees and create awareness amongst them about the social engineering threat. Warn them about information they make public on social media and about the threat from e-mails, hyperlinks and phone calls. Forewarned is forearmed.


• Protect all of your devices against viruses and other malicious code through the use of up-to-date anti-virus software. Out-of- date versions are no use at all. Also ensure that you have a bring-your-own-device policy which guards against employees introducing viruses to your network through mobile devices that they bring to work.


• Secure your network from the internet by using a firewall. Avoid using Wi-Fi, if possible, and if you have to, then make sure it is securely configured. If employees work from home, make sure that they have security on their own systems, including a firewall. Only allow secure VPN connections with employees outside the office.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36