Why a human is the weakest link – this thesis was confirmed multiple times in our history. Since ages people tried to protect themself in various ways. In ancient times and in middle ages defensive walls were the best protection. But still the gate and people were the weakest elements. Let’s consider ancient Greece and Trojan horse – the trap which people brought inside the city and let the inviders conquest the well protected city. In next ages, both security and people evolved. We moved from “real world” into cyber world. With broad access to Internet the cyber security became crucial element of our daily life.
Digital society
Modern cyber security defense technics are on the highest level – tested, verified and proven that they are working correctly. However they are not perfect as they do not protect us against social attacks. That the moment when our awarness is critical part. Even Kevin Mittnick, the most famous hacker said that he broke the people, not the systems. So the most fragile part is not an IT system but a user.
Why I’m telling about that? Because in our daily life we are using dozens or even hundreds IT systems which may influence our personal life strongly. If we would loose control of one of them – e.g. an app which control automated vacuum cleaner – nothing wrong would happen, just it can start in the middle of the night and make a lot of noise. But what if we would lose control over bank access? The damage would be significant.
Mentioned cases are personal ones, so they may touch limited number of people at once. Let’s consider broader cases.
Impact on company
What if I would be a CEO of big enterprise and I would lose control of my Twitter account, and somebody would post something about company which would crash a share prices? Very feasible financial and reputation loose to a wide audience. Fortunately an information quite “easy to fix”. This kind of attack is against a narrow group of people. Let conisder other case – the goal of attack is getting access to internal company resources. Usually the access is controlled using Active Directory, so same login and password to get access to multiple systems. The target can be a list of customers, pricing details, company strategies etc.
Now try to image what would happen, if attacker got access to your colleague’s mailbox and start sending emails in his name with a link to previously prepared web page which looks like typical internal company site and asks about domain login and password. It is internal threat based on the knowledge how company works. If such attack would start around 9 AM, when most of people is coming to office and starts from reading the email, the damage would be huge as concurrent number of leaked credentials would be significant. That why access control (e.g. revoke the access to people who left company) is very important as sometimes such people are trying to get revenge by stealing the data.
How to recognize attack
What is the common part of such attacks? Usually they start from an email. But not a simple, plain text email, but well prepared one, well styled, with all logo, and the domain very similar to that what we expect (e.g. bank, company for which we are working). The crucial part is a link whcih redirects to external server which can gather the data. Such trust abuse is succesfull in around 3% cases (when we consider external mailbox), but in case when the email comes from a co-worker the success rate may be close to 50% in very short time. With such high success rate, the company may loose a lot of data, reputation and all customers so it might be its end. Good example is a Polish hosting firm – in result of attack of ex-employee, strange PR and also loose of backups, they lost all customers and failed in few days.
How to protect?
Training, training and once more training. The security department needs to prepare such exercise (attempts) on “regular” basics without prior employee notification. Who clicked the click – additional mandatory training. It is very good and efficient solution. Only educated person knows how to react on suspicient email (or other attack like phone call).
But how to protect myself if nobody can train me? First of all do not open any email until you are not sure that you need to open it. Then check the sender server (if it comes from trusted provider or not). Before clicking any link, check where it redirects. If it seems not be a trusted domain, you can check in public registry via search tool (e.g. https://mxtoolbox.com/Whois.aspx). If it was freshly registered then you can be almost sure that it is dangerous site. If you open such site, also missing SSL certificate might be an indicator that something is going bad (all major browsers show warnings that certificate is invalid). Never enter a password which is not secured by SSL (you can recognize it by site address – it should start with https instead of http).
What to do if I visited suspicient site?
It is not so bad until you did not provided sensitive data like bank login and password. If you did it, change them immediatly using different computer or device (or via call center if applicable). Under some circumstances, the site would left some threats in your system or even in entire network. Good example is WannaCry attack in mid 2017 which paralyzed some big companies. Also mandatory step is cleaning your computer using scan with anti-virus and anti-malware tools (or format).