The Human Factor in Preventing Data Breaches
There a number of programs an IT professional can implement to make their organization’s IT infrastructure less vulnerable to cyberattack. However, recent evidence indicates an educated user base may be the best line of defense. According to the 2018 Cost of Data Breach, a study conducted by Ponemon Institute, 25% of data breaches in the U.S. are triggered by human error. These errors include misdirected email, failure to properly delete sensitive data when finished using it. Intentional but non-malicious actions by staff, such as permitting unauthorized access, data disclosure to a trusted colleague or friend, or merely snooping is an avoidable source of breaches. An additional 30% of data breaches come as the result of “Social Engineering”. Social engineering breaches are efforts by hackers to manipulate unwitting users to provide credentials to allow illegal access to a secure system.
Social Engineering Techniques
There are a number of techniques hackers use to get a user to provide information. Some of the most common forms are:
Phishing: Most of us have seen phishing attacks, which are usually emails supposedly from social web sites (such as Facebook), financial institutions (such as banks or credit card companies), IT organizations (such as Microsoft or Google) or even the Government. The emails typically ask a user to call, email, or text the organization (which is actually fake contact information, redirecting the user to the hacker), “to confirm their identity” by providing a username and password. While some of these attacks are laughably crude, full of misspellings and poor grammar, phishing attacks are becoming increasingly sophisticated.
Spear Fishing: Spear Phishing takes the phishing concept to a higher level. The primary difference is that spear phishing is directed at a specific target individual or organization. In this case, the attacker researches the target, gathering publicly gleaned information. The attacker uses that information to send a sophisticated and believable email with intent to get the unsuspecting user to provide login credentials or download malware. The email may profess to come from an executive or loved one seeking help or providing directions. A sophisticated spear phishing attack is extremely difficult to defend against by an untrained user. In 2016, an employee of Snapchat sent sensitive financial data to a spear phisher, masquerading as the company’s CEO. Spear phishing scams are estimated to cost organizations about $1 billion per year.
Pretexting: Most people have seen the physical form of this scam used on television. A private eye gets a hotel room number by pretending to be a friend of the person, for example. In the IT world, a hacker may hold a small bit of information about a target, such as the last for digits of their social security number, or their birth date. The hacker uses this information to get more information, such as bank credentials, credit card numbers, or a full social security number.
Rogue Software: Rogue software is software that masquerades as free anti-virus or anti-spyware applications that in fact do the opposite of their claims. Organizations usually combat rogue software applications with security elements such as next gen endpoint protection, and managed firewall services. However, home computers and laptops may be susceptible and their users may unwittingly spread viruses into the organization.
Quid Pro Quo: A quid pro quo attack is often as part of a phishing or spear phishing attack. As the name implies, a quid pro quo attack typically offers something (such as a “quick” bug fix or security patch), in exchange for something from the user (such as login credentials “to permit remote access” or brief shutoff on an antivirus application). The offeror typically poses as a help desk worker from an IT firm or may assume the identity of an IT professional within their own organization.
Baiting: Long the most tried and true method of scamming individuals, baiting, as the word implies, entails dangling bait in front of a user to get them to “bite”, or take an action that allows malware to enter an IT environment. Like phishing, baiting can be general and undirected, or sophisticated and targeted at a specific individual or organization. Baiting also comes in the form of an enticement (such as pornography or offers of money), or threats (such as fictitious impending legal action or actual blackmail).
ETTE Can Help
ETTE, through its partner company KnowBe4, provides some of the most effective security awareness training available. The online training course is engaging, easy to incorporate into your IT environment, and strongly supported at both the user and technical level.
As everyone knows, the most effective training program is one where trainees must use their gained knowledge on a regular basis following the training. Our training program does just that. Following completion of security awareness training, the organization’s managers and IT professionals can create drills to test user’s security awareness. These drills create simulated phishing emails and other social engineering attacks to confirm users know their training. The organization can schedule users that are successfully phished for further training.
As can be seen from the graph below, studies on the effectiveness training typically show a 50% improvement in phishing-resistant staff immediately following training. However, our program obtains the most dramatic results (over a 90% resistance improvement after one year) resulting from regular use of the learned knowledge that attack simulations provide.