While most agencies are focused on the technology of cybersecurity, the truth is that one of the easiest ways for cybercriminals to get onto a network is to target people, not networks. The Department of Defense has found that a highly effective way to breach a network is by leaving thumb drives in and around an organization’s parking lots and smoking areas. In fact, according to Bryant G. Tow, Managing Partner of CyberRisk Solutions LLC, if there is a company logo on the thumb drive, employees are even more likely to pick it up, walk it past the billion-dollar security system, plug it into their computer, and infect the system.
Today’s cybercriminals are focusing on people when they target a company, according to Tow. If an agency isn’t including training and awareness in its efforts, it is leaving a huge gap in its Ring of Security. In his recent presentation at the Comstor Federal Summit, Tow said that all hacks include the same “kill chain:” reconnaissance, luring of a participant employee, redirecting of information, exploiting of the network, dropping the malware, and theft of data. They are highly effective because of either apathy or lack of employee education about today’s threat environment. “If you have bandwidth, processing power and storage, you have the tools that any cybercriminal can use against you in any number of ways.”
Tow said he wasn’t trying to scare Federal Summit attendees, but rather, he was trying to educate them so they could understand the current threat landscape and be able to share what is going on in real time with their clients. “If your customers don’t know this, they should know it. If you teach them, then you are building that trust relationship with them.”
He outlined several additional real-time – and frightening – ways that cybercriminals are targeting people to breach networks:
- Sophisticated spear phishing – In one recent case, a CEO received an email from his child’s school with an attachment of snow bus routes during a snowstorm. It was such a good fake that he believed it, clicked on the bus route schedule (which included actual bus routes), then used the same laptop to log onto his company’s VPN network, thereby granting access to his company network.
- Ransomware – This tactic includes holding data “hostage,” by breaching the network, encrypting the data (document files, photos, etc.), jumping onto the network drives, and then encrypting the network. The organization receives a ransom note instructing them to deposit bitcoins in order to get the key to decrypting the data. This malware enters the system when someone clicks on a link (again, the people factor, according to Tow), and there is no recovery for it other than to do a backup and restore. You can try to find the offending machine, but the chances are that the malware has gone polymorphic, which means it changed itself as it propagated across the network. The signature you find on one machine will not be the same as all the others, so you will have to find all of these unique signatures, burn those machines, and go to backup.
- Business email compromise (BEC) attacks – These attacks are highly sophisticated because the cybercriminal will profile an agency using social media – LinkedIn, for example – to create an org chart and to learn about its vendors and partners. By the time the attack starts, the criminal knows as much about your organization as you do. They send an email from the CEO or CFO, request a wire transfer of money for a project and attach an invoice that is very similar to one from a real vendor used by that company. The money is actually going to a fake account, and the invoice is infected with malware. You have lost money, and your system is infected.
- Malvertising – This is a newer tactic and involves the injection of malware into pop-up ads. An employee searches on Amazon and then goes to a site that allows pop-up ads tailored to reflect that Amazon search (for books, or a vacation or a barbecue grill). In the milliseconds it takes to create these ads, they are infected and built specifically for that recent search.
The only way to solve the problem, Tow said, is to look at cybersecurity/cyber risk from a vantage point that includes people, processes, technology, and facilities. Unfortunately, especially in the federal space, it is usually looked at as only a technology issue. That is beginning to change, but it will be up to partners, such as those at the Comstor Federal Summit, to help educate their customers about these new, targeted, specific attacks against “the human operating system.”
Want to learn more about how to protect your system? Click here to subscribe to EDGE360.