Human Factor

               A person or group of people focused on a social engineering attack in general has the benefit of experience and being keenly aware of the human character.

               The social engineering attacks use many tools to mislead the target into believing their script. The commonality with the attacks is the human factor. As a member of humanity, one common attribute most of the population internalizes is to be helpful or provide assistance when asked. We tend to be social creatures and if one of the groups needs assistance, one of the groups would offer to be there.

               Recently this has been applied to rather high profile services. A widely respected info sec author/blogger’s PayPal account was also compromised. The social engineer used the general attack methodology. As the target was well-known, the attacker was able to search general and social media for his background data. With this in hand, the attacker could call the service, and assume his identity. This clearly is not optimal.

               In yet another highly publicized example, an Amazon customer also was victimized. In this instance, the user had an account at Amazon, like so many others. Here, however the attacker depended on the customer service representative’s good nature and willingness to help the “customer” who seemingly needed it. Here the “customer” did not have the product that was purchased, did not have the last four digits of the credit card number (as it was his work credit card), he really needed to get the report back to his manager, did not have access to the account, did not know the expiration date of the card, etc. The only thing the person knew was the card was a VISA. In utilizing statistics, there was in the least a 33% opportunity to choose correctly. Given the prior conversation, the customer service representative would probably have allowed the “customer” to guess until correct.

Lessons to Apply

               This contact is yet another example of why there needs to be a better training program. These need to consist not only of the usual presentation on the negative aspects of when social engineering is a success. The people need not to be fearful of asking simple, direct questions. If the wrong or inconclusive answers are presented, the conversation should go no further.

Red Flags

               There were several read flags with their exercise in mental gymnastics. First, chronologically, the “customer” wanted a refund even before the product arrived. On its face this is exceptionally odd. As a rule of thumb and industry, the person orders the product, receives it, decides it just will not work, and asks to return it. This should have been a red flag.

               Regarding the credit card, the “customer” did not have it, did not have the last four numbers on the card, could not even give the last two digits of the card, and asked for the expiration date on the card. If the “customer” did not have the card to verify the last four or two digits, how would the “customer” be able to verify the card from the expiration date? The “customer” would not as this was a farce.

               The “customer” said at one point the customer did not have the access to the account. It only takes two pieces of data to do this with a computer. Clearly the “customer” should have known the login and password.

Best Course

               There is a distinctly different course of action that should have been followed. By following this the customer service representative should have used a bit of common sense in comparison to bending over backward to give the “customer” every opportunity to commit fraud and then helping the “customer” to log in. When something starts to smell, much like what happened here, the representative should start to review the situation and ask questions.

Lessons

               Sys Admins, please provide the training the staff needs. At times people can get too caught up in their jobs and forget what they are also responsible for-info sec and keeping other’s data safe. If not you may be breached and getting a call from the government agencies. 

New Year!

Each New Year brings with it the opportunity to start fresh; learn from the prior year’s errors and victories. This bifurcation between the years allows for this reflection. With the upcoming year, there are a number of initiatives that the corporate CTO/CISO can implement to better the business and further mitigate risks associated with eh operations and business itself.

One action item for the corporation to accomplish if it had not been done already is to hire a qualified Information Security Engineer/Architect. This should be a top priority if it is not already done. This person will be able to assess the enterprise, advise what needed to be done, and begin to implement the changes.

Communicate with your staff and ensure they follow these. One of the more profitable attacks that grew traction over the last year was the ransomware of everyday consumers, manufacturers, and hospitals, and also the executive pay scam. The former involves anyone at work or home simply clicking on an image or opening a malicious file. The latter involves a multi-step social engineering process with one of the staff members as funds are wired from the business on the false behest of the C-level. To mitigate this attack, people need to know they don’t have to click on everything, including kitten pictures. The business can also communicate their wiring processes and simply verify the email to mitigate this risk.

During the next year, a focus should be on training the staff to better recognize social engineering attempts. The training cannot be the same mindless, boring presentations with graphs on PowerPoint slides. The training needs to be engaging and interesting. The role of the training staff is not to entertain, but this helps with knowledge retention over time. No training will be perfect; however every little bit assists in mitigating the risks. The alternative is become a victim of social engineering, and have to manage the issues arising from this.

Here is to a New Year with a focus of securing the enterprise! 

Healthcare

The problem with healthcare and info sec is the primary objectives of healthcare. Fortunately for all of us the directive of the healthcare industry is patient care. Prima facie, this is common sense. The hospital or other facility in fulfilling its mission has to share data (patient records, prescriptions presently being taken, treatment plans, etc.) among multiple parties. This provides an opportunity for breaches as the endpoints for attack increase exponentially. Instead of one person or group having access, there are many others who require this.

The increase in the number of persons with access provides many more targets for social engineers. This increase in vulnerable endpoints allows for work to be focused on exploiting and breaching the healthcare provider. A not so gentle reminder of this issue are the hospital breaches and encrypted files/servers, especially the recent example in Hollywood with the ransomware payment of $17k, and the infamous OPM breach.

To mitigate this, there is a simple formula. The issue has been and will continue to be difficult for the user to implement. The most direct integration strategy involves training. The standard training regimen is completely applicable. With the data flow and number of endpoints, coupled with the liability to the entity in the event of a breach, additional training is reasonable. The staff members (nurses, nursing assistants, physicians, physician assistants, and others) need to know what to be aware of. The training would need to focus on the spear phishing, methods social engineers use to gain the rapport of others, so the staff members are aware of what modes of attack may be used.

With this being done, the opportunity for a successful breach would be lowered. 

Hacktivists

Social Engineering attempts are not going to diminish in their numbers any time soon. This will be a persistent threat indefinitely. It used to be in the early days (I am able to use this term as my first experience was coding in BASIC and C in the 1980’s) that “hackers” would work to breach a system as a badge earned and to build credibility among peers. The attackers have been viewing this more as a business and using social engineering for financial gain. Recently over $50M was stolen from the aircraft manufacturer FACC. On January 19^th it was reported the Crela Bank, a Belgium bank, has a $75.8M claim due to the same type of CEO fraud scam earlier reported on. In mid-February a hospital in Hollywood paid $17K to receive the key for the encryption on their servers. The hospital had to stop using their electronic medical records/electronic health records (EMR/HER) and was using pen and paper due to the issue. These are not the only high dollar incidents, but only the recent occurrences. As long as money can be made, the social engineering will continue to be operationalized as a business. This will also draw others to this nefarious line of work.

               Hacktivists may also be involved as a method to embarrass people or agencies, or to bring the facts to the forefront. The hacktivists may be of any age and skill level. In early October 2015, teen-age attacker(s) breached the CIA Director’s email. Recently, the Director of National Intelligence email was breached. The breaches were a product of social engineering third parties, e.g. Verizon, and not the directly affected person.

               One lesson to be learned from this involves being vigilant, watching your accounts, and authenticating people that call you claiming to be from a business. If the users continue to be lackadaisical, there will continue to be issues. The issues or lessons to learn from can be expensive and others yet more expensive. 

Security through obscurity is not a valid or reliable plan

Security through obscurity still does not work in the long term. The hope with this camouflage is that the attackers won't notice you. That does not exactly work in reality. Granted there are higher value targets, and some lower value targets for the attackers. There is the case however where you are noticed by the attackers. It could be by accident, they saw one of your trucks, or this is a disgruntled ex-employee or customer.

It is always better to have a security plan in place. You never know when the business will be targeted. Although hindsight is 20/20, the foresight is not.

A Breach is a Symptom

A Breach is a Symptom

I was listening to a cybersecurity podcast recently and the guest made the statement "A breach is a symptom of the deeper problem." Too often we focus on the outwardly visible and notable aspects of an issue versus the underlying problem.

Without addressing the real problem driving the symptom, these issues will continue to percolate and show themselves, too often at inopportune times. This may take more time, energy, and effort in the short run, but will often pay the dividends many times over through the future.

It is time to put the effort into fixing the issue, versus placing a temporary Band-Aid on it.

Data Leakage

Attackers generally are looking to disrupt your business and/or breach your system to steal the protected health information (PHI) and personal identifiable information (PII). This may be done via a DDoS or other methods to stop persons from visiting your website. Breaching your system may take a more advanced route, however still creates a massive issue.

The persons attempting to compromise the system are looking for weak points in your information/cyber security posture. This includes, depending on the circumstances, your employees, updates to the computer system, points where the information is being transferred, wireless access, and other points of interest to them. Data can be transferred via Wi-Fi, email, thumb drives and other avenues. Each of these represent a point of potential weakness that could be breached. These and other areas should be tested to ensure compliance with HIPAA, HITECH, PCI, GLBA, or other relevant to your industry regulation.

Call us for additional information and personalized quote.

Miel, LLC Infosec Consulting

Penetration Testing and Vulnerability Assessment

810-701-5511

charlesparkerii@yahoo.com & charlesparkerii@gmail.com

 

www.mielinfosec.blogspot.com


It is not about winning or losing, but reorienting yourself to the real problem-managing the risk across the enterprise.