We sometimes think of hackers as geeky types spinning threads of arcane code to gain access to an organization’s innermost secrets, and to some extent, that’s true. What’s surprising is that an almost equally effective tactic hackers use for obtaining such information is to come right out and ask for it.
According to a 2014 study sponsored by the Carnegie Mellon CERT Insider Threat Center, more than 40 percent of organizational security professionals say their greatest concern is that their own employees will accidentally jeopardize the organization’s security. These accidental employee security breaches are called unintentional insider threats, or UITs. There are three basic types of UITs of which companies should be aware.
The best-known form of electronic UIT is phishing. Emails are sent either to targeted members of an organization or to the organization as a whole. These messages appear to come from a trusted organization (such as a bank) or from a fellow employee. They typically request verification of either personal or company information. Once the employee verifies the information, the attacker gains access to the victim’s personal information or to an organization’s computer network.
The CERT study offered a couple examples of successful phishing attacks.
In the first example, attackers sent phishing emails to the customers of a payment processing company. The emails warned the victims that they needed to download a web browser plug-in in order to gain access to a website. In reality, the plug-in was malware designed to steal the victims’ usernames and passwords. The attackers targeted the customers by name. The message also referenced the recipients’ usernames and a portion of their passwords for the site. This information was obtained by the attackers through a direct attack on the company’s servers.
In another example, an employee replied to a phishing email which they believed had come from a financial services provider. In doing so, the employee downloaded and installed keystroke-logging malware. This malware captured the employee’s credentials. The attackers then used these credentials to transfer hundreds of thousands of dollars.
Phishing is not the only kind of electronic UIT. Another common type is fraudulent websites and social media pages (Facebook, etc.) These sites target employees who surf the Internet. They trick their victims into clicking on a link, such as a music download, that installs malware on the victim’s computer. Still another common type features CDs or flash drives that, when inserted into a computer, install malware that gives the attacker access to information.
This type of attack is in some ways the most effective of all. Personal UITs are carried out by people, not machines, and it is human nature to trust other people.
One form of personal attack is dumpster diving. This involves searching the trash for documents that could benefit the attacker, such as financial records, confidential reports, or personal information.
Next is impersonation. This threat, which targets a specific individual, sometimes occurs as a follow-up attack after dumpster diving. During impersonation, the attacker poses as someone in a position of authority and asks the victim for help in solving a problem. The solution requires the victim to provide sensitive information. That new guy from IT who shows up one day to work on your computer because it’s sending a faulty IP address. He must be who he says he is, right?
Another type of personal UIT is tailgating. An attacker poses as an employee to slip into a restricted area by walking behind a person with legitimate access. Employees are victimized by this kind of attack because they’re too trusting of others, too distracted by work, or simply too embarrassed to challenge the attacker.
Lastly, don’t underestimate shoulder surfing. This form of attack is like copying off someone’s test at school. The attacker looks over the victim’s shoulder while the victim enters security codes or passwords. It’s simplicity itself, and that’s why it works. No one expects it.
You could also call this the “dumb,” or “stuff happens” type of UIT. It doesn’t require a hacker, and it’s also the hardest UIT to defend against. Someone loses a laptop or a flash drive containing vital information. Someone accidentally posts sensitive information on a website or emails it to the wrong person. Someone leaves sensitive information in the trash (remember dumpster diving?).
Attacks producing UITs are successful for a number of reasons: inadequate security systems and policies, stressful work environments, and a tendency for individuals to overlook threats (the “It can’t happen here” mentality), among others.
These reasons can be combatted through improved security systems and better employee training. However, there’s one thing that can’t be prevented, and that’s the thing that gives hackers the “house edge.” As the CERT study states:
“Some social engineering campaigns may be so well crafted that individuals may still be exploited no matter what countermeasures (training, policies, etc.) are employed . . . . No matter how skilled, savvy, or trained an organization’s employees are, there will always be a chance that a phishing campaign will succeed, especially because it takes only one individual to succumb to the scam to open new opportunities for the social engineer to execute further exploits against the organization.”
In other words, human nature. People being people, a certain number are always going to click on that website, or lose that flash drive, or let that stranger in the door behind them, no matter how much training they’ve had. The only thing you can do is keep up the training and situational awareness. Hope that one day when that new guy from IT shows up to work on your employee’s computer because it’s setting a faulty IP address, the employee stops and says, “Hey, wait a minute . . .”