When the Hacks Are Coming From Inside the Building
Attacks on corporate IT infrastructure are becoming routine. Some organizations might even take it as validation of their importance and success. Between the Chinese government, the Russian mob, the Syrian Electronic Army and a host of freelancers from Manila to Minsk, the web has become a target-rich environment for anyone with the skills and the initiative.
Increasingly, enterprises are taking a lesson from the government and hacking their own systems to see whether the warnings and training have any affect on behavior. The result, as the following article explains, is not encouraging. In one test almost 50 percent of employees phished took the bait. Even more than that clicked on the tainted link itself.
As in so many other fields of human endeavor, the prevailing attitude appears to be that such problems happen to other organizations and other people, not to moi.
There are concerns about potential erosion of trust, but the atmosphere is so replete with tales of subterfuge and misdirection that most employees seem inured to it. Privacy may be valued, but its presence is not taken for granted. If anything, the presumption is that nothing is secure.
Research has proven that the higher one's position, the more susceptible one may be to this sort of digital intrusion. Executives appear to believe they are more insulated from such attacks than others, despite the evidence suggesting the opposite it true. The reality is that much of this activity is opportunistic. Attempts to strengthen defenses are probably worth the effort, even if the lesson learned is just how vulnerable the institution may be. JL
Neal Ungerleider reports in Fast Company:
When some workplaces do
security audits, they hack their own employees. Confession time: Fast
Company tried it, too. Here's what happened
Earlier this year, employees at a prominent media company
received a strange email asking them to reverify their accounts. These
emails didn't come from a web hosting company or a cloud service
provider—instead, they came from an attacker trying to find
vulnerabilities in their network. But the attacker wasn't the Syrian Electronic Army or Russian criminal gangs. Instead, the employees of Atlantic Media (publishers of, among others, The Atlantic and Quartz) were phished by their CTO, Tom Cochran.
Cochran was trying to identify which employees would be most
susceptible to spearphishing attacks similar to those which took down
huge targets like The Guardian and The Onion over the
past year. Nearly half of Cochran's employees opened the email with the
phishing link, and 58% of those clicked on the link itself. In an email
to Fast Company, he said "I wish I could say I was surprised,
but being in the industry and role I am in, I'm well aware of the ease
in which one can be phished. I've been phished before (and subsequently
spent a couple hours changing every single password I use). So, I
wouldn't say surprised as much as slightly disappointed that it was in
fact that easy to dupe someone. On the positive side, tricking people
that easily made it a much more compelling ask to push the whole company
to use two-step authentication, which was my ultimate objective." Fast Company did something very similar in August. Following the August hack of Outbrain (a Fast Company
partner company which is responsible for our "You Might Also Like..."
links), CTO Matt Mankins conducted an impromptu security audit. Our
employees were emailed by an address which faked the name of a
high-level Fast Company editor and asked to click into a site
that looked like one of ours--but wasn't. Nine employees, ranging from
editors to advertising team members to corporate, all clicked on the
link and gave our hacker login information. But luckily, it was just a
drill.
Mankins told me that he felt the wake of the Outbrain attack "was a
good time to run a similar attack and see how we did. I setup a Google
Form, downloaded our login page, and put it on a similar, but fake
domain that we own. I then connected the login form not to our CMS, but
to the Google form so that whenever someone entered their password they
would go directly to the Google Form. Anyone who entered their login and
password would have known pretty quickly that something wasn't right. I
sent the fake email to the staff without telling anyone (except
Executive Editor Noah Robischon who was in on the project). I then
watched to see what would happen. I wanted people to make noise and
contact or warn each other, which is basically what happened. Within
minutes someone from my Dev team had alerted myself and the rest of the
group, so I had to let them in on the secret so we could watch what the
others did."
State-associated hackers such as Outbrain-hack perpetrators Syrian Electronic Army and the accused Chinese military-related cyber break-in teams all use phishing attacks to break into targeted governments and corporations. It isn't too much of a guess to assume America's cyberwarriors spearphish, too.
Employees at Atlantic Media were sent an email shortly after the
surprise security audit informing them of the result, and warning
them—for the good of corporate security—to be more vigilant in the
future.
Cochran, the former Director of New Media Technologies for the White
House, said in a writeup the fake hack attack "attained the crucial
buy-in of employees; now that they personally understand the dangerous
implications of not following the rules, they’re more willing to take
data security seriously. People are more apt to learn from an experience
than listen to a recommendation or policy. Just like a regular office
fire drill, senior leadership should be running random phishing drills
to give them that experience. And, the experiential learning doesn’t
stop with these emails."
Atlantic Media and Fast Company aren't the only
organizations conducting fake hacks of their own employees to find
security holes. Due to the discretion the topic usually receives--no
company wants to announce their own employees will click on any file
labeled "Spreadsheet" or "Meeting Agenda" from any Gmail address--it's
hard to find companies going on record to talk about this.
However, CSOs from several Fortune 500 companies have given anonymized versions of their self-spearhacking experiences and Brian Krebs has reported previously on toolkits that let CTOs and IT staff fake-hack their own employees.
A report from security firm Wombat,
cybersecurity specialists discussed the obvious: how to smooth things
over with hundreds or thousands of employees that might be taken as
fools or feel that their tech teams want to make them look bad. One
respondee said fake attacks "need to be framed correctly" because they
could make employees "tend to think they are being spied on or not
trusted" or are being targeted by corporate higher-ups. And, of course,
when a disproportionate number of victims of fake spearphishing attacks
turn out to be high-ranking or important employees that creates office
politics nightmares that no one wants to deal with.
One expert told Fast Company that this office politics nightmare scenario is likely. Patrick Peterson, head of email security firm Agari,
noted that CEOs of large firms are less likely to be clicking on
spearphishing links because they have more assistants standing between
them and their inbox. However, he said there's always a risk of other
high- or medium-level employees like CMOs, chief counsels, CFOs, and
vice presidents falling victim. One of the major factors is busyness on
the employee or executive's part--the more harried they are, the less
likely they are to check the legitimacy of a file sent via email.
Cochran elaborated on this in our exchange, adding, "In simpler
terms, nobody likes change. The perceived cost of changing the status
quo was greater than the perceived benefit. There is a general false
sense of security and a belief that, while hacking does happen, it won't
happen to me. With beliefs like this, the benefit is almost nil, given
that there is a false sense of security, coupled with the fact that
increasing security would decrease convenience. The objective was to
explain that 79% of hacking targets victims of opportunity, and it is
really easy to be tricked into handing over your password. Demonstrating
that almost immediately proved that the benefit of changing far
outweighed the cost of changing behavior." But it's necessary--Carl
Herberger of security firm Radware
told me that "Phishing, and social engineering in general, represents
one of the biggest security threats for this decade and prudent testing
of desired and appropriate employee behavior is paramount for today’s
secure environments."
For CTOs, CSOs, and IT staff fearing cyberattacks, the question
remains how to make sure that spearphishers won't target the companies
without alienating staff that is not tech savvy. Fake attacks, it seems,
can help. Spearphishing attacks can devastate a company—a distracted
employee clicking on one link can cause untold amounts of damage.
Conducting spot checks of cybersecurity hygiene is a smart idea for
businesses. Once attacks take place, there is a massive industry of
third party firms waiting to offer defenses for the future and forensics
to find out what happened, but it's best to put those
anti-spearphishing blocks in place to begin with. Conducting fake
spearphishing audits of employees isn't a one size-fits-all-solution,
but it's a valuable tool in the arsenal.
I was so anxiuos to know what my husband was always doing late outside the house so i started contacting hackers and was scamed severly until i almost gave up then i contacted this one hacker and he delivered a good job showing evidences i needed from the apps on his phone like whatsapp,facebook,instagram and others and i went ahead to file my divorce papers with the evidences i got,He also went ahead to get me back some of my lost money i sent to those other fake hackers,every dollar i spent on these jobs was worth it.Contact him so he also help you. mail: premiumhackservices@gmail.com text or call +1 4016006790
As a Partner and Co-Founder of Predictiv and PredictivAsia, Jon specializes in management performance and organizational effectiveness for both domestic and international clients. He is an editor and author whose works include Invisible Advantage: How Intangilbles are Driving Business Performance. Learn more...
1 comments:
I was so anxiuos to know what my husband was always doing late outside the house so i started contacting hackers and was scamed severly until i almost gave up then i contacted this one hacker and he delivered a good job showing evidences i needed from the apps on his phone like whatsapp,facebook,instagram and others and i went ahead to file my divorce papers with the evidences i got,He also went ahead to get me back some of my lost money i sent to those other fake hackers,every dollar i spent on these jobs was worth it.Contact him so he also help you.
mail: premiumhackservices@gmail.com
text or call +1 4016006790
Post a Comment