End-user awareness is the missing link in cyber security
Nobody can argue that cyber security and data privacy have become hot topics this year. The buzz has been felt world-wide, as people strategize on both offensive and defensive aspects. When cyber security is mentioned, many reflexively jump to thoughts of firewalls, complex passwords and malware protection.
But, one of the most important and often overlooked security defenses is end user awareness. It requires everyone working within a sector to use their due diligence to ensure the integrity of that network’s infrastructure. Educating all employees provides a more holistic and long-lasting solution.
Simply installing the latest product on a machine isn’t a full-proof plan. Threats are where you least expect them and a recent “mock breach” mounted by Digital Locksmiths, a security services company, proves just that.
Digital Locksmiths were recently hired by a large manufacturing firm to ensure that all bases were covered when it came to potential security vulnerabilities. They started their assessment by attempting to hack into the company’s infrastructure, using common modes, such as eavesdropping, password cracking, DoS attacks and sniffing. The network was impenetrable, but they didn’t stop there. Instead, they chose another – often ignored -- route. Armed with a smile and a buttoned-up shirt, Terry Cutler, their lead ethical hacker, entered the facility posing as an innocent passerby with an urgent need to use the restroom. The receptionist smiled and buzzed him into the facility. Once inside, Cutler grabbed two programmed USB keys from his pocket and dropped them on top of the toilet paper holders located in each stall. Then he headed back to his office where, as he expected, the USBs had been brought to life by unsuspecting employees who might have just opened up their company to a massive breach.
Social engineers manipulate people using tricks and tactics, so they are basically spoon-fed confidential information. This is the main reason end-user compliance is so important.
The example shared above is known as “baiting,” a physical tactic where a device is placed in a location where it is sure to be found and the attacker simply waits for a curious onlooker to pick up the device and plug it into his or her PC. One of the most common types of social engineering attacks, phishing, also happens to be one of the simplest. It involves sending an email from what appears to be a legitimate source requesting verification or prompting a responsive action. A real example, which Digital Locksmiths once used, was to search for corporate employees on Facebook, LinkedIn and Twitter. Cutler then searched for a common interest and sent an intriguing message like, “I noticed you’re into fishing, have you tried out this sonar gadget to help your catch?,” along with a link to an exploit code. When an attacker sends this kind of credible link, once it is clicked, the attacker will be able to pull out screen shots, monitor keyboard strokes and even take an encrypted username and password to be used in what’s called a “Pass the Hash” attack.
Many companies employ over-worked, under-paid and under-trained system administrators. The lack of educated users and admins can lead to the downloading of infected files. Information security is a complex and specialized field, which means that it is crucial that governments and civilians receive specialized cyber security training. This training is extremely low cost, when compared to the financial pain companies may have to endure have if their network becomes vulnerable to attackers.
Megan Horner is the marketing coordinator for TrainACE. She can be reached at: