Preventing Cyber Security Social Engineering Attacks
Internet security is a top focus for businesses and individuals as some of the biggest consumer brand names including Target, Supervalu and Michaels acknowledge major hacking attempts and cyber security breaches. Two things are evident: much more has to be taken to address security shortfalls, and one of the biggest shortfalls is user error and social engineering, people making poor decisions -- writing down passwords, sharing passwords, losing devices -- that lead to a breach into sensitive data.
One of the latest incidents to go public involved hardware supplier Home Depot, which publicly acknowledged its systems were hit in September by what it described as a "unique, custom-built malware" attack that compromised 56 million payment cards. Online auction player eBay is grappling with a password-stealing phishing attack that exploited an XSS flaw.
But the brick-and-mortar and online retail segments are far from alone in suffering security nightmares.
Internet security casualties
Travel and tour provider Viator, owned by TripAdvisor, has notified 1.4 million customers about a breach to websites and mobile offerings that may have put customer credit and debit card numbers, email addresses and other personal information into unauthorized hands. Five Bartell Hotel divisions are reporting guest credit and debit card numbers may have been stolen. Aventura Hospital and Medical Center is reporting its third data breach in the two years, according to U.S. Health and Human Services records.
On the user front the data and information security landscape is just as rife with attempted attacks. A growing number of hacks, malware attacks and phishing schemes are tapping increasingly sophisticated approaches. These incidents, which could very well outnumber enterprise breach statistics if tallied up, rarely get reported and often go unnoticed for long periods. After all, what BYOD smartphone or tablet user wants to tell the IT manager a device was breached and company documents may have been accessed? Even worse, which internal network systems may be at risk via someone's hacked device accounts?
Factor in the mobile computing trends taking place in both the enterprise and user realms -- greater data sharing, increased online transactions and document transfers -- and the list of potential vectors of attack gets longer by the day.
Social engineering: The human element of hacking
The combined scenarios illustrate at least two compelling facts:
- Much more needs to be done to protect data, networks and devices
- The human element of the security equation and - basic password strategy play a critical role in shoring up security both for business and end users.
"Many people seek convenience and neglect security, or take the attitude that, it won't happen to them. So, they don't use passwords or use very weak and easy to guess passwords; they use the same weak password on multiple accounts; and they share their passwords," said David Willson, a risk management and cyber security consultant and lawyer.
Password recycling and oversharing
A few common missteps are password re-use, the lack of a two-factor authentication process and users sharing way too much information via social media.
"Of course it is impossible to remember hundreds of passwords but services such as LastPass offer a solution for it. Some popular services such as Twitter or Gmail offer two-factor authentication for free. The surge in social media is making easier for hackers to gather personal information without even having to work too hard," noted Roberto Arias Alegria, an IT security specialist.
The burgeoning use of social media is definitely widening the playground for hackers, especially given increasing mobile device use, Willson noted.
"Many people place way too much information out on social media making it easy to guess passwords, and basically allowing hackers and stalkers to profile them," he says.
You are the weakest link
Kai Pfiester, a cyber security specialist at Black Cipher Security said gaining deeper insight on users via social media can let hackers deploy social engineering tactics in gaining password info.
"One of the most common mistakes people are making in managing their personal data security is volunteering their personal information all over the internet when they do not have to. This behavior creates a huge personal data footprint that is then stored by these organizations forever," said Pfiester, adding, "information that is never exposed cannot be hacked."
John Poulin, an application security consultant for nVisium, said users don't typically understand the risk associated password reuse and password complexity.
"Reusing passwords and creating easily guessable passwords tends to be the most common method of compromise," he said, adding, "humans are inherently flawed, in the sense that we look for the easiest and cheapest approach to solving our problems. We often see users tricked into downloading rogue anti-virus and anti-malware software in an effort to protect themselves, but without understanding the need to validate the software's integrity."
Losing devices and device theft
Another big security misstep is leaving devices, whether it's a work smartphone or the desktop, unattended or in what a user may believe is a "safe" place with no password set.
"Anybody can stride up to your computer and gain access to your data or online accounts in seconds. Before you even realize this has been done, your online personas could be completely compromised," said Zach Feldman, Chief Academic Officer at the New York Code + Design Academy.
Internet security vulnerabilities: the easy fixes
Feldman's top tip is to teach users to good passwords creation.
"Its actually more secure to use a chain of words that makes up a long password than to use a shorter combination of a word and a few numbers. For instance, dinosaureatingmuchcereal is actually better than dino123," he shared, explaining shorter passwords are more likely to be in so-called "Rainbow Tables," which lets hackers more easily find a short password among a list of semi-common ones and brute force their way into online accounts.
As another security professional revealed, while the human element is a security vulnerability in itself, it can also serve as a protective sword against hackers and malware writers.
"If people are the greatest weakness in security, they are also its greatest strength," writes Conrad Constantine, a research engineer at AlienValult in a ComputerWeekly column.
"So much of what is information security operates on the fringes, the tail of the curve, the places where only the human brain's ability for pattern recognition excels. There is no security control more effective than a diligent system administrator, reading his log files and noticing that something looks awry in them."
"Home Depot under fire for data breach notification," ComputerWeekly.com, September 22, 2014, http://www.computerweekly.com/news/2240231040/Home-Depot-under-fire-for-data-breach-notification
"How history of security shows we have not learnt our lesson," ComputerWeekly.com, September 29. 2014, http://www.computerweekly.com/opinion/How-history-of-security-shows-we-have-not-learnt-our-lesson
"eBay XSS password-stealing security hole 'existed for months,'" Graham Cluley, September 22, 2014, http://grahamcluley.com/2014/09/ebay-password-stealing-security-hole-existed-months/
"TripAdvisor's Viator Notifies 1.4 million customers about Site and Mobile Data Breach," September 19, 2014, http://skift.com/2014/09/19/tripadvisors-viator-notifies-1-4-million-customers-about-site-and-mobile-data-breach/
"Aventura Hospital and Medical Center reporters data breach," September 16, 2014, http://www.local10.com/news/aventura-hospital-medical-center-reports-data-breach/28082920
"Cyber attack hits San Diego hotel chain," U-T San Diego, September 9, 2014, http://www.utsandiego.com/news/2014/sep/09/target-home-depot-bartell-hotels-cyber-hacking/