.png)
We have all heard the term "Cybersecurity" at one point or another, and for most people it invokes a complex, possibly almost mystical, image of hackers in black hoodies being thwarted by cybersecurity experts in a room full of high tech gadgetry in a digital battle with the cyber criminals. In reality, it is often much more mundane than the Hollywood depiction. I can say that in my years of handling IT and Cybersecurity, I have never once been in an "Operations" room full of flashing lights and warning sirens while actively hunting a hacker through some kind of digital map on screen. If you are curious about more accurate depiction check out Mr. Robot on Amazon.
The fact of the matter is, like with any security, it is everyone's responsibility. While the security professionals are there as a last line of defense, ready to take on active and advanced threats, many tasks fall onto everyday people. Things like ensuring your using and not sharing a strong password, not clicking phishing links, and even just reporting something that seems off to your security team are all cybersecurity tasks you can do on a daily basis.
Cybersecurity is very much a hierarchical system, and you, regardless of your position, seniority, job title, or experience, are in that hierarchy. A front desk receptionist who doesn't take cybersecurity seriously is just as much of a threat as a CEO who doesn't. On average, most cyber attacks start with phishing, and at a fairly low level. Unlike Hollywood depictions, cybercriminals take time to work their way up in privileges to get at their target. While gaining access to the receptionist account may not give the attack access to all the financial data for a company, it very likely gives access to information about the people who should be targeted next to get that data.
Lets go over an example of a full blown attack that costs a simulated company millions of dollars in damages. As we go through it you will see its not as "James Bond" as the movies where an attacker gets a fake ID, pretends to be an employee and breaks into the server room to gain access. While that may happen occasionally, it is far and away from being commonplace in cyber attacks.
Mary works the front desk for a large financial firm that handles real estate investments called Real Finance. Her job is simply to greet clients who come in, answer phone calls, emails, and do administrative work when requested. Today Mary got an email that appeared to be client sending in a copy of their invoice with some questions. After opening the Invoice she noticed it seemed off and responded to the client that she didn't believe the invoice came from Real Finance. What Mary didn't know is that when she opened the invoice a script ran in the background and installed a keylogger on her machine, allowing the attacker to see her username and password giving him full access to her account. The attacker users this to look at the company directory seeing who has access to client financial data and authority to make wire transfers. He has multiple options on how to proceed but goes with the easiest.
The attack spoofs an email that appears to be coming from the CFO to Mary. It reads: "Mary,
We have an emergency situation with our biggest client, and we need to get a refund issued right away! This cannot wait, so I need you to complete a wire transfer of $3,378,350.00 IMMEDIATELY! We cannot lose this client so any delays are unacceptable and will lead to termination. Send the transfer to the account in the attached documentation. Bob,
Chief Financial Officer Real Finance" Mary seeing this email that came from the top acts immediately fearing she will lose her job. She completes the transfer in and lets our a sigh of relief, not realizing the money she transferred didn't go to a client at all, but to the attacker. The security staff would come in after the fact for this simulated attack and try and figure out what happened and if the money is recoverable, and also notifying the FBI, but unfortunately in these situations the money is usually lost.
This type of attack is not uncommon, and without vigilance and proper knowledge any employee could be the start of a major news story. So what could have been done to prevent this attack? While some steps should have been taken by the IT department such as disallowing scripts to run from files automatically, Mary should have been trained to spot suspicious emails, should have reported the odd invoice right away, and when seeing the large amount of money she was supposed to transfer, should have had to go through a company mandated validation process.
As you can see most of the steps that would have prevented this attack from happening would have been done by employees who didn't have anything related to cybersecurity in their job title. Policies and procedures, trainings, and paying attention could have all prevented the loss of millions of dollars. While this is an extreme example, these types of attack on a smaller scale happen every single day. Attackers may scam dozens of companies out of a few hundred dollars which keeps a low profile but ads up to tens of thousands of dollars in their pocket. Most of attacks aren't from highly trained cybercriminals who are writing their own malware and systematically breaking in, its low level criminals who are mass sending scam emails, possibly with malicious attachments that they purchased, and going for the "low hanging fruit" or easy targets.
One of the best things you can do to help keep yourself and your company secure is to report anything that you think looks off. Even if it turns out to be nothing, a false positive report is better than missing a real attack until after the damage has been done. For more information and the latest in cybersecurity check out the followings links: Cybersecurity & Infrastructure Security Agency - Alerts and Advisories
For a free cybersecurity consultation, reach out to All American Cyber today.
Comments