A chain is only as strong as its weakest link
Businesses continue to be hit harder and harder by increasingly sophisticated cyber-attacks. While many attacks are perpetrated from outside company walls, the reality is that the most looming threat comes from within: the employees.
Just two weeks ago, in the breach heard round the world, Caesars and MGM were victims of social engineering. The attack started with vishing (voice phishing) calls, where hackers impersonated an employee using LinkedIn information to trick MGM’s IT help desk personnel into resetting Multi-factor Authentication (MFA) factors for highly privileged users. Once the MFA factors were reset, the attackers accessed Okta super administrator accounts, which they used to reset authenticators and assign higher privileges to other accounts.
The breach decreased MGM’s market cap by almost $2 billion and illustrates that employees are the most significant point of failure in terms of security vulnerabilities. From sophisticated vishing, to luring employees to click suspicious links that contain spyware, to weak passwords and leaks on social media—all attack vectors can be avoided with effective cybersecurity awareness training.
The idea that a company could lose its entire reputation as a result of inadequate or nonexistent training needs to become a thing of the past. There’s far too much at stake to forgo training. In this blog, we’ll reveal the dangers employees should look out for, as well as proactive measures organizations can take to empower these employees.
First and foremost, employees need to be trained to identify attack vectors. Let’s start with vishing, as this was the vector used in the MGM/Caesars breach.
Vishing, short for "voice phishing," is a tactic used by cybercriminals to manipulate individuals over the phone and gain unauthorized access to sensitive information or systems. Vishing attacks typically start with an enticing phone call. The attacker, often posing as a trusted person, uses persuasive conversation to deceive the target. Their goal is to trick the unsuspecting victim into divulging confidential data, such as login credentials, credit card details, etc.
Employees should verify the identity of the caller independently and use official contact numbers to reach out and confirm the caller's legitimacy. They should also never share sensitive information, such as passwords or PINs, over the phone. Legitimate organizations won't ask for such details in this manner. If in doubt, hang up and call back using official contact information.
Organizations should develop a comprehensive incident response plan that includes specific steps for handling vishing incidents. Quick reporting and appropriate actions can minimize damage and prevent further breaches.
For a detailed explanation of phishing, see Align’s article, “Something Seems Phishy.”
In the early days of phishing, emails were highly suspected from recognizably dubious senders, but today they have become extremely convincing. It is for this reason that every single email received should be opened with caution.
Employees should be sent mock phishing emails to ensure that they can find the signs of a suspicious email. Each time an employee successfully identifies a phishing email, the subsequent phishing tests should increase the level of difficulty, improving an employee’s ability to recognize telltale phishing signs.
Basic phishing identification tactics must be instilled in users: scrutinizing the address and domain names of senders, not haphazardly clicking on embedded links or attachments, keeping an eye out for spelling mistakes or grammatical errors and knowing that emails from legitimate sources will never ask you to send out user credentials or personal information.
Another attack vector is unsafe websites. Employees need to know that navigating to dubious sites and downloading at random can expose their entire company to spyware.
Spyware, which aims to gather information surreptitiously, can be downloaded onto a machine without user permission or knowledge. Spyware can remain hidden for a while before it is discovered, and will undoubtedly steal and potentially profit from compromised data.
Additionally, malware that is self-downloaded and executed from suspect sites often comes in the form of worms. A worm is malware that is self-propagating, meaning it needs no form of user interaction to spread like wildfire throughout a network.
This means that one employee who has received little or no training, who innocently clicks on what appears to be a new site, could lead to the undoing of an entire company.
In addition to being wary when clicking on obscure websites, employees need not turn a blind eye to software updates. Updates for your operating system, browsers and antivirus software contain security updates that address bugs and vulnerabilities.
Applying security updates as soon as they become available is key to protecting your devices. The ultimate example of the improper application of security updates is Equifax.
If Equifax had applied Oracle’s Critical Patch Update to address the Struts vulnerability, released months before being hacked, they might have looked a little less flagrantly responsible for their downfall.
Password Security Tips
It goes without saying that employees need to abide by strong password rules. Here’s a brief checklist of password best practices:
- For a password to be considered “strong,” it should contain a combination of numbers, upper and lowercase letters, symbols and include a minimum of 8 characters
- Writing a password on a post-it and sticking it to your machine is unacceptable
- Passwords shouldn’t be easy to guess
- Change passwords routinely
- Never keep the default password
If you are envisioning a hacker typing and guessing individual passwords, think again. To give you an idea, a brute-force attack is one that simply tries all possible combinations of passwords.
- If a modern, somewhat slow computer can calculate 3,000,000 password variations in 1 second, it can crack a 6-character, single case password in 103 seconds, clearly making the name of your dog inadequate (266 password variations/3,000,000 password variations per second= 102.97 seconds).
- On the other hand, at this rate a 10-character password that is alphanumeric and contains special characters would take 208,095 years to crack, making this approach utterly useless to a hacker.
Takeaway: By increasing the number of characters and the password complexity, it becomes exponentially more difficult to crack.
Testing and Enforcement
Cybersecurity education can be tedious, but it does not have to be. Employee education modules can be crafted to not only be engaging, but to improve information retention.
Effective security awareness training should cover the identification of risks, threats, mitigation and remediation.
Employees should also be tested and retrained on educational models in a variety of formats to offer convenience and 24/7 access. But how can you make sure your employees are making progress? Reporting of education, retention and performance can be provided to those managing employee education.
Empower your employees by making them an integral defender of your business environment with effective cybersecurity awareness training. Further, protect your business from advanced cyber attacks with a comprehensive, state-of-the-art Cybersecurity Program.
To explore Align's award-winning services, check out the below links:
- Cybersecurity Advisory Services
- Managed Threat Protection
- Vulnerability Management
- Cybersecurity Education
- Customized Cybersecurity Programs
- Outsourced Virtual Chief Information Security Officer (vCISO)