Security professionals spend an awful lot of time trying to protect sensitive corporate information, locking it away in virtual vaults, as they should. But they often neglect to protect the people who have the keys/combinations to those virtual vaults—in some cases, protecting those key-holders from themselves.
This comes to mind as a recent story in The Intercept reminded us of how easy we often make it for bad guys to impersonate us and, in effect, steal our access. In other words, there are two ways to get access to a caged animal in a zoo. You can break the lock in the cage or you can get a zookeeper drunk and con him into letting you in. Enterprise IT security today are getting quite good at making those cage locks tamperproof. They are, however, dropping the ball at keeping their zookeepers sober.
The Intercept piece was discussing a version of this technique leveraged by the U.S. National Security Agency itself: "The memos explained how the NSA tracks down the email and Facebook accounts of systems administrators who oversee computer networks. After plundering their accounts, the NSA can impersonate the admins to get into their computer networks and pilfer the data flowing through them. As (one official) wrote, 'Sys admins generally are not my end target. My end target is the extremist/terrorist or government official that happens to be using the network. Who better to target than the person that already has the keys to the kingdom?"
This is simply the latest version of social engineering, which itself is just the normal protocol for a con artist. The process is simple: Gather as much information as you can about the target and then use that information to trick other people into thinking you are the target. Alternatively, the con artist can use that information to convince the target that the con artist is some authorized person, such as law enforcement, a bank employee, someone working in your company's payroll office, etc..
Consider the experience of Mark Fidel, president of New Mexico-based security firm RiskSense and he is a strict believer in rigid separation of security and financial duties as a breach avoidance tactic. He pointed to a recent incident at his firm, where an attacker who had done his homework tried to trick the company's CFO into making an unauthorized transfer of $20,000 to an external bank account in Georgia. It would have worked, too, Fidel said, had not the politeness of the e-mail raised his suspicions.
In the e-mail supposed to be coming from the CEO, the ending said "Kindly e-mail me back with a confirmation." Said Fidel candidly: "Our CEO would never have said 'kindly.'"
"Our CFO sent it to our office manager/bookkeeper. She can initiate, but I have to complete it," Fidel said. "I read the e-mail and said 'This has to be a scam, just knowing the CEO. If the CFO had authorization and capability, that is the bad guy's success right there."
Fidel was impressed, though, with how close the attacker came and how well planned the attack was. That CFO is a contracted officer and he's not even listed on the company's Web site. "The only place he's listed is on LinkedIn. That's where they probably pulled it. They correctly guessed the e-mail format and they spoofed the right address. It was a pretty good effort."
Another very effective hole is one that a company's IT people—most often coders—dig for themselves. In another LinkedIn example, these technical folk offer lots of specific and confidential information about systems and software. They do this to showcase their technical skills, by referring to some big problem with some software or routers and they detail the scope of the problem and then spell out how they fixed it. Great stuff for LinkedIn. And it's even better stuff for cyberthieves.
Are there policies in your company that limits what people can reveal? Do they understand that the confidentiality agreements every new employee signs applies to LinkedIn profiles? That it applies to what they can say on a resume?
It's amazing the specific nature of information that is routinely shared on various social media. But policies alone will do little if they are not enforced. Do you have anyone who actively looks for these leaks in social media? If not, you have no defense.
This problem, however, won't be solved solely by plugging leaks of truly corporate confidential information. These identity thieves also love to access fully-personal details. Truly social details (shopping, vacation) on Facebook and Twitter may not seem to be a security threat to Boeing or Hilton, but it is.
What if a thief can wrote a note to the victim's colleague that says “Hi, Jan. When I come back from this beautiful Tahitian village on Tuesday—if I choose to come back at all—I need to get some paperwork wrapped right away. Can you please send me the payments history for Chevron so I can review it on the plane ride home?” The casual references to the location of the vacation and the anticipated date of return can help trick a colleague into thinking this is the real person.
Some thieves try and avoid the bank tipoff that Fidel spoke of (the one where excessive politeness raised suspicions) by reading as many social posts by the victim as possible, looking for commonly used phrases and style of writing. An identity thief who does her homework can prove to be quite effective.