Business executive fraud scams that hit the media usually involve senior officials tricked through social engineering into sending large amounts of money to a criminal posing as a legitimate contact.
However, social engineering can also be used to get anything – even bidding information.
That’s what happened to an unnamed Canadian firm as recounted by David Ostertag, global investigations manager for Verizon Enterprise Solutions’ investigative response unit, which looked into the incident:
“The data the bad guy was going after was the bottom line of a real estate deal,” he told reporters Thursday at Verizon’s Toronto office. The target was the official who knew the company’s strategy. The goal was to create a phishing email to get information.
Using social media like Facebook and LinkedIn, and in some cases calling company staffers by impersonating an employee, the attacker learned the firm’s structure and it’s lingo to craft the email to the executive.
Ostertag didn’t detail what was in that email the official fell for, saying only the Canadian company paid significantly more than it would have had the firm’s negotiating strategy not been known.
Shown later what had happened, Ostertag quoted the official saying, “Knowing now that my company lost several million dollars on this real estate deal, I would still open that email. It’s that good.”
So, Ostertag concluded, despite all the awareness training organizations do “some of these are really so good, they (attackers) have done their homework so well you could do all the training you want and the recipient going to open it.”
Still, he maintained that there are many basic security steps CISOs and infosec pros should – but aren’t – follow. These include:
–Email content filtering. Half of phishing exploits include an attachment that has a malicious executable, he pointed out;
–Multifactor authentication for logging into applications and systems to stop credential theft. “It’s something that’s simple but appears to be difficult” for some, he said;
–Centralized logging and monitoring of network and log data. “Very basic, very simple, but a lot of the organizations we go in we don’t see it …“If you don’t have the logs how do you know what’s going on?”
–Ensuring default passwords on systems are changed. “That’s not high tech.”
Attackers “want to spend the least amount of resources to get the greatest benefit – it’s a financial thing. If you can use their playbook against them to make it financially more costly to them they’re going to go somewhere else. So if you put good basic security in place chances are you’re going to stop them.”
User awareness training is a sticky issue: It has to be done, but some CISOs wonder about its effectiveness.
Statistics from Verizon’s international data breach investigations report, released earlier this year, shows that 13 per cent of employees will open attachments or click on phishing links no matter how much awareness training an organization does. That led a CIBC offical at a conference earlier this month to say he’s almost given up on it.
What kind of training works? “We are better at knowing what doesn’t work than what does,” Ostertag admitted in an interview. But many CISOs have told him it’s vital to immediately re-train staff who fail an awareness test.
He did say that CISOs do have to encourage the 87 per cent who don’t open suspicious attachments to report their concerns rather than just hit the delete key.
At the conference the bank executive said there is a solution: Implement gateway attachment scanning. It could delay email by up to five minutes, he conceded, but dramatically improve security. However, he said, management at organizations he’s worked for refuse to impede email.
Ostertag was neutral. “That’s a tradeoff the organization has to make,” he said. On the other hand, he added, any delay in executing malware helps the defence because some malware “beacons” to a command and control server with an IP address. Many of those addresses are only valid for a short period of time.
He agreed with a suggestion that while organizations do a lot in cyber security, they rarely companies do everything right.
Take the Payment Card Industry data security standard (PCI/DSS). Ostertag said since it was released there has never been a breach of payment core data where the breached organization has been compliant at the time of the incident. “So what we find is a lot of times organizations understand what are best practices, what basic minimum threshold security practices are, (but) it just doesn’t work in everyday life.”
For example, he said a typical security assessor reads an organization’s policies and procedures, interviews key managers on what is done and concludes the firm is compliant. “What they don’t do is sample and verify that’s actually going on. A lot of times that’s where the gap is.”
Similarly, when development teams create a Web application they do the right things before making it live – ensure secure coding, code review, run vulnerability scans on code, perform manual penetration testing. But, Ostertag added, this isn’t carried over into into change management, so updates have vulnerabilities.
“We’re getting better at protecting data – put access controls around it, encrypt data at rest, all the things we know we should do.” So attackers are increasingly targeting end user devices, where sensitive data may reside and security is weaker.