Who is your weakest link? by Richard Hill, Stepien Lake
This blog post was also featured as a column in the March 2016 issue of Legal Practice Management magazine. To read the issue in full, download LPM magazine.
The impression many have of a cyber attack is either the stereotypical Hollywood film version – the teenager in their bedroom hacking into high-security government networks – or an elaborate Mission Impossible style hack through multilayered high-tech defence systems. Possibly hanging from a harness. But the reality of the threat facing businesses like ours is much simpler.
Attackers are moving away from the automated running of malicious code and are now exploiting human behaviour and using people (on the inside) to unwittingly work for them. Social engineering is the most prolific attack technique used by attackers to gain access to secure systems and sensitive information. The technique involves manipulating individuals to induce them to carry out specific actions or to divulge sensitive information by posing as a legitimate source.
Social engineering in itself does not necessarily require a large amount of technical knowledge. There are three ways in which individuals unknowingly work for attackers:
- They act as their facilitator by running attackers' malicious code for them (such as malware or ransomware) by clicking on corrupt links or attachments in emails.
- They act as the middleman by handing over secure credentials so the attacker can use them.
- And lastly they may directly work for attackers by transferring money to them.
So, instead of doing battle with firewalls and IT security systems, criminals target people. The majority of the time this is by email and is known as phishing or spear phishing – sending a bogus email tailored to an individual so that it looks genuine, trying to entice the individual to click on a document (more popular than a corrupt website link).
The most likely is a malicious Microsoft Office macro, which when opened executes a variety of operations, including automatically running the downloader for a piece of malware to the individual’s computer. These types of phishing emails can also request usernames or passwords from a seemingly legitimate source and the individual is tricked into handing over the information, or ’the keys to the castle’.
However, the most serious is where individuals are duped into sending money to the attackers' fraudulent bank account. The new technique of choice at present is called whaling (its name derived from an analogy of the big ‘phish’), which relies on significant research (social media being the key source of information for the attacker) on the target business, to identify the attackers' victim and the business hierarchy around them. Emails appear to be sent from a CEO or senior partner (the attacker buys a similar domain name as the target business) requesting that funds are sent to a bank account.
These attacks differ in scale and volume but they all share one common theme. They all use social engineering to persuade people to do the work of malware and deliver big rewards for the attackers.
As Ann Robinson would say ‘you are the weakest link’ ... And for my next column, I'll be continuing this theme by outining how to spot a fraudulent email - or how to catch a phish!