You invest a lot of money in keeping your systems from being hacked but trouble may be coming from unexpected places.
Last month, attendees at the AmeriQuest Symposium were made aware of a form of hacking that is much harder to combat because it’s coming from the inside. Well, not literally. Your people aren’t willingly contributing to the hacking attempt, but they are being duped by some very smart and sophisticated people.
Jane Clark, VP of Member Services for NationaLease, in her recent IdeaXchange blog, covered the presentation of Kevin Mitnick at the AmeriQuest Symposium. Mitnick, in the mid-nineties, was actually one of the world’s Most Wanted hackers. Now he heads Mitnick Security, a security firm that companies look to in order to help them test their systems’ weaknesses and strengths when it comes to security and to find potential loopholes.
The big problem now, said Mitnick, was not the hacker who tries to get past your system firewalls. The major issue now is one he calls social engineering, which he defines as “a form of hacking that relies on influence, deception and manipulation to convince another person to comply with a request in order to compromise their computer network.” And social engineering is much easier than hacking software or technology, it’s nearly 99.5 percent effective and worse for your company, it leaves no audit trail.
Remember the vampire myth that a vampire can’t enter anywhere unless it’s invited in? Well, your company is now exposed, not just due to any system loopholes, but also by employees unwittingly inviting in the hacker. It’s important to note that these hackers are very, very smart and do their due diligence before making their attacks. They may check out your company online for organizational charts, names and titles of employees to identify the people that have the information the hackers are seeking.
Or they go to sites like LinkedIn, enter the company name to get the names of key employees. Then they go to that employee’s LinkedIn page to identify who might be a part of a “circle of trust” for that employee.
Once they’ve gotten the information they need, they may try a number of different tricks, often posing as a one of those trusted people to get the target to respond:
- They may send an email containing an attachment (like a “booby-trapped PDF) that, once opened, gives the hackers the access they desire.
- They may send what looks like a software update notice that encourages a recipient to download the update. Once that’s done, the hacker has access to that employee’s computer and all the information contained therein.
- Some actually send, by snail mail, a thumb drive imprinted with a logo that identifies it as the company of someone your employee knows and trusts. Once that drive is inserted into the USB port, the hackers can unleash a virus or steal passwords and other data. These are just some of the ways that smart hackers can get into your systems using your own employees. The way to combat this, according to Mitnick, is to train your employees to be aware of these types of deceptive attacks. Companies also may want to conduct their own mock attacks to see which of their employees respond and then use this as a teachable moment for what not to do. What every company should to, said Mitnick, is to tell employees, “It is okay to say no to an information request.”
What are you doing at your company to help employees realize they may be being duped by a hacker?