BE SMART
Tuesday, January 20, 2015 at 12:18PM
It’s always fun to watch the headlines, and hear about the latest corporate hacking disaster. Part of the fun is hearing the so-called experts give the 10,000-foot explanation of what they think happened, and often these are people who know the buzzwords but don’t actually know that they mean. We’ve all heard some ridiculous post-mortems from dummies who are good for talking to pundits but who risk all credibility if they’re dumb enough to actually talk to any white-hat types and get picked apart.
Yes, we still have to worry about those generic “hackers,” those mysterious types who do whatever keyboarding evil they do who “break in” and steal data. TV types can’t comprehend OWASP or SANS or common exploits. You’ll never hear the term “SQL injection” on CNN.
But as brilliant as some of these bad guys are, they STILL quite often rely on bad practices, social engineering, and just plain stupidity. However, they can be sophisticated enough to leverage people’s personal connections.
Let’s pull this apart. Let’s compare a social attack to SQL injection. It’s an iterative attack, i.e. it’s not a smash and grab. Find the databases, find the tables, examine the schema, then go after the data.
Recently I’ve spoken to organizations who describe multi-layered, extremely clever attacks that require several passes, and are still just social engineering, but to such a degree that it’s far beyond conning a secretary over the phone into handing out a password.
Example 1: purchasing agent gets an email, containing an attachment requesting a wire transfer, from a manufacturing manager. “Need this much cash to buy these mundane raw materials to build this boring product.” The required form is properly filled out, appears to be pre-approved by yet another party, and the proposed transaction is in line with other transactions they process several times a day. The purchasing agent has a question about the form, emails back, and gets an appropriate response so he also approves, and sends the wire transfer request along.
Then there’s an issue with the account number, and it bounces back. The purchasing agent finally says, screw it, I’ll make a phone call to the manufacturing manager, who then says, “What wire transfer are you talking about?”
The bad guys hadn’t hacked a bank account or explicitly moved money. They had infiltrated email, mapped out the organization, who dealt with whom, how business was transacted, how money was moved, then tried to get privileged employees to do the work FOR them. After hearing this story, I heard from several other companies in the same geographic area that had been attacked in the same way.
Example 2: a technology company is on an acquisitions binge. Lots of little purchases are going on everyday as people and even furniture are getting moved around, offices are being dissolved, severances are being paid, equipment is being consolidated. The CEO is personally overseeing many of these small expenditures. The CEO goes by a nickname. One day his secretary gets an email from him asking for a transfer of cash for a merger-related activity, but using his full name. The long-time secretary is instantly suspicious because the boss didn’t use his traditional nickname in signing the email. And yep, it wasn’t him. Someone is trying to take advantage of the chaos of the M&A activity.
It’s important to have all the right tools and policies in place. All your sensitive data should be encrypted. Multi-factor authentication and authorization are phenomenal things. Segmented networks can limit damage when somebody DOES get in.
But it still pays to be smart, to be vigilant. There’s an old saying from the Middle East: trust, but verify. Well, screw trust. Just verify.