The Implications of the Uber Breach
How to protect your organization from a social engineering attack
Cyberhacks are commonplace in today's world, and they can happen to any company. Today it's Uber, last week it was U-Haul and the week before it was Samsung. At the root of many of these attacks is a malicious actor masquerading as a corporate IT manager or other technical role. Using this disguise, the perpetrator knows that all they have to do is convince one employee or contractor to share their credentials to gain a foothold into the targeted company's internal network. This tactic is called social engineering and is one of the key methods used in attacks that result in data breaches. These types of "unauthorized access" attacks account for 50% of all data breaches and can cost companies as much as $9.5M dollars to remediate per incident.
It's a frustrating reality for CIOs because these types of breaches are preventable as long as their companies implement the right technologies, policies, and procedures and educate their employees on how to be extra vigilant in the digital world.
In my experience, one of the most difficult aspects of protecting an organization is making sure all team members understand the importance of building security into their everyday roles. Employees need to adopt the mindset of "security first." Simple things such as not clicking on unknown attachments or deleting a suspicious request for a passcode are easy ways to stay out of harm's way.
CIOs must come to grips with the fact that we're all human and that shortcuts don't have a place when developing strong cybersecurity habits. Even the smallest and seemingly insignificant technical toe-stub can open the door to a potential bad actor. Our job is to look at the problem holistically. No amount of investment in the latest technology can provide 100% protection because technology alone is not enough. It has to be complemented with well-designed, enforceable policies, proven procedures, and strong system hygiene coupled with continuous education and awareness.
Let's take a look at some practical steps you can take to protect your organization now:
- Embrace zero trust.
- Building strong policies and procedures.
- Continuously educating your workforce.
Zero Trust Goes Beyond Products
Zero trust is built on the principle that no person or device inside or outside of an organization's network should be granted access to connect to systems until authenticated and continuously verified. A CIO's top priority is to incorporate zero trust into their approach to cyber security.
User access must be calculated constantly from as many different data points as possible. Companies need to leverage artificial intelligence (AI) to combat account takeovers and tackle fraud at the front door and subsequently throughout their networks.
As an example, the ForgeRock Identity and Access Management (IAM) platform continuously assesses risk as part of its access management capability to provide a zero trust environment. However zero trust needs to be applied to everything we do online. This means deploying the best cybersecurity technology that implements a zero trust paradigm; developing and implementing policies and procedures that reinforce zero trust and redundancy; and educating users and systems administrators to follow procedures that mitigate risk.
Build Strong Policies and Procedures
Most successful attacks are the result of routine lapses and failing to know what endpoints are connecting to your network. To prevent this, it is important to practice good cyber hygiene by patching operating systems and applications, backing up data, updating and whitelisting applications, limiting privileges, and using multi-factor (MFA) authentication
CIOs need to understand where their technology assets are, what software is in use company-wide, and identify unsanctioned software which, more often than not, has not been properly configured, patched, updated, or secured, creating an attractive entry point for attackers.
Internal hygiene is critical, and that includes ensuring that system level usernames and passwords are not hard-coded. If that is necessary, make sure there is regular rotation of those system passwords. Performing regular, routine maintenance, automated patching, and isolating personal devices is all part of ensuring your organization is protected.
Continuously Educate Your Workforce
Outside of technology, there is the element of human error and risk. It is critical to any business that employees are regularly educated and tested to ensure they have a strong understanding of cyber risk and the part they play in minimizing it.
One important and often overlooked element is social engineering education. For example, how much personal information are your employees actually sharing online via social media such as LinkedIn or FaceBook? This is an increasingly strong attack vector that bad actors use to understand the structure of a company. I've seen attackers target new, junior employees with a high pressure, time-sensitive request seemingly from a senior member of staff to unlock access to a company's network.
Finding new ways to keep your teams educated requires some serious thought. Training should not be a "one size fits all" approach. It needs to be tailored to teams and roles. I am sure that sometimes I drive my team crazy, but I have been known, on occasion, to contact my help desk team in an attempt to impersonate various employee roles to ensure they stay on their toes. I think it's an important aspect of understanding the maturity of a team with elevated access to many systems.
Phishing scams are another common method used to gain unauthorized access. Employees should be trained to identify malicious emails, URLs, and attachments that often are sent by attackers to their corporate or personal inboxes, or any other avenue, such as SMS.
Lastly, training has to be non-negotiable. Companies need to follow up to ensure that employees have participated in relevant training and fully understood its implications. Furthermore, employers need to make it clear there are ramifications should individuals intentionally circumvent security policies and procedures.
The correct balance for preventing any cyber attack spans people, process and technology. If you get that trio right, your organization will thrive.
Learn more by checking out these resources:
- Blog: How Your Organization Can Prevent Account Takeover
- White Paper: Cloud Without Compromise: IAM for the Hybrid Enterprise
Find out more about social engineering threats here: https://www.cmu.edu/iso/aware/dont-take-the-bait/social-engineering.html