Business executive fraud scams that hit the media usually involve senior officials tricked through social engineering into sending large amounts of money to a criminal posing as a legitimate contact.
However, social engineering can also be used to get anything โ even bidding information.
Thatโs what happened to an unnamed Canadian firm as recounted by David Ostertag, global investigations manager for Verizon Enterprise Solutionsโ investigative response unit, which looked into the incident:
โThe data the bad guy was going after was the bottom line of a real estate deal,โ he told reporters Thursday at Verizonโs Toronto office. The target was the official who knew the companyโs strategy. The goal was to create a phishing email to get information.
Using social media like Facebook and LinkedIn, and in some cases calling company staffers by impersonating an employee, the attacker learned the firmโs structure and itโs lingo to craft the email to the executive.
Ostertag didnโt detail what was in that email the official fell for, saying only the Canadian company paid significantly more than it would have had the firmโs negotiating strategy not been known.
Shown later what had happened, Ostertag quoted the official saying, โKnowing now that my company lost several million dollars on this real estate deal, I would still open that email. Itโs that good.โ
So, Ostertag concluded, despite all the awareness training organizations do โsome of these are really so good, they (attackers) have done their homework so well you could do all the training you want and the recipient going to open it.โ
Still, he maintained that there are many basic security steps CISOs and infosec pros should โ but arenโt โ follow. These include:
โEmail content filtering. Half of phishing exploits include an attachment that has a malicious executable, he pointed out;
โMultifactor authentication for logging into applications and systems to stop credential theft. โItโs something thatโs simple but appears to be difficultโ for some, he said;
โCentralized logging and monitoring of network and log data. โVery basic, very simple, but a lot of the organizations we go in we donโt see it โฆโIf you donโt have the logs how do you know whatโs going on?โ
โEnsuring default passwords on systems are changed. โThatโs not high tech.โ
Attackers โwant to spend the least amount of resources to get the greatest benefit โ itโs a financial thing. If you can use their playbook against them to make it financially more costly to them theyโre going to go somewhere else. So if you put good basic security in place chances are youโre going to stop them.โ
User awareness training is a sticky issue: It has to be done, but some CISOs wonder about its effectiveness.
Statistics from Verizonโs international data breach investigations report, released earlier this year, shows that 13 per cent of employees will open attachments or click on phishing links no matter how much awareness training an organization does. That led a CIBC offical at a conference earlier this month to say heโs almost given up on it.
What kind of training works? โWe are better at knowing what doesnโt work than what does,โ Ostertag admitted in an interview. But many CISOs have told him itโs vital to immediately re-train staff who fail an awareness test.
He did say that CISOs do have to encourage the 87 per cent who donโt open suspicious attachments to report their concerns rather than just hit the delete key.
At the conference the bank executive said there is a solution: Implement gateway attachment scanning. It could delay email by up to five minutes, he conceded, but dramatically improve security. However, he said, management at organizations heโs worked for refuse to impede email.
Ostertag was neutral. โThatโs a tradeoff the organization has to make,โ he said. On the other hand, he added, any delay in executing malware helps the defence because some malware โbeaconsโ to a command and control server with an IP address. Many of those addresses are only valid for a short period of time.
He agreed with a suggestion that while organizations do a lot in cyber security, they rarely companies do everything right.
Take the Payment Card Industry data security standard (PCI/DSS). Ostertag said since it was released there has never been a breach of payment core data where the breached organization has been compliant at the time of the incident. โSo what we find is a lot of times organizations understand what are best practices, what basic minimum threshold security practices are, (but) it just doesnโt work in everyday life.โ
For example, he said a typical security assessor reads an organizationโs policies and procedures, interviews key managers on what is done and concludes the firm is compliant. โWhat they donโt do is sample and verify thatโs actually going on. A lot of times thatโs where the gap is.โ
Similarly, when development teams create a Web application they do the right things before making it live โ ensure secure coding, code review, run vulnerability scans on code, perform manual penetration testing. But, Ostertag added, this isnโt carried over into into change management, so updates have vulnerabilities.
โWeโre getting better at protecting data โ put access controls around it, encrypt data at rest, all the things we know we should do.โ So attackers are increasingly targeting end user devices, where sensitive data may reside and security is weaker.