Social Engineering: You’re the Phish on the Spear

Adapted from an article submitted by Julie Goldstein, Manager, ITS Client Services and Security, UCSC. High-profile data breaches occur in all industries: the federal government, big corporations, the entertainment industry, higher ed… A recent analysis of the Dec. 2013 Target breach illustrates leading causes of major breaches, no matter who they affect:

  • Phishing and other social engineering techniques that lead people to:
    • click on a malicious link or infected attachments
    • reveal passwords (most of the breaches the FBI investigates started with a spear phish – phishing attempts directed at specific individuals or organizations)
  • Exploited technical vulnerabilities, such as out-of-date or unpatched operating systems and applications, and default passwords

Social engineering: methods and madness

We need to constantly be alert to social engineering. The original source of a data breach so often is simply someone falling prey to a phishing attempt and providing their account information. Big breaches in the news create opportunities for social engineering scammers too:

  • Malicious links appear in web search results about major breaches, especially higher profile or scandalous ones.
  • Phishing scams by email or phone attempt to get victims to sign up for fake credit monitoring or other breach-related support.

For example, after the Federal Office of Personnel Management (OPM) breach, imposters pretended to call from the Federal Trade Commission (FTC) to offer money to OPM data breach victims. The imposter told victims they needed to provide their personal information right then over the phone to receive the payment. It was a scam.

Technical vulnerabilities: give an inch, they take a mile

As IT professionals, we know attackers go after the weakest link in the security chain – end users – through social engineering and weak passwords. Thus, user education is paramount. But there is a lot we need to pay attention to on the back end:

  • PII (personal information) is everywhere. If it’s not in the system the attackers compromised, it’s probably somewhere they can get to from there.
  • Controls that prevent an attacker from jumping between environments are critical.
  • Getting access to a seemingly unrelated system, such as an HVAC or other facility system can be a way in.
  • Attackers can get in through contractor and vendor accounts. In the Target attack, a contractor’s HVAC credentials were compromised and were the initial way in.
  • The initial compromise that allows malware to be installed is typically due to common vulnerabilities – often older ones – where solutions are known but haven’t been applied. Zero-day exploits definitely do happen. Java and Adobe products are notorious for this, but the larger trend from big breaches has been to exploit known vulnerabilities.
  • Some malware (and the majority of sophisticated malware) doesn’t write any files to the device, so antivirus tools won’t detect it.

Breach investigations often show that the initial compromise happened 6-18 months before the breach was discovered. Attackers often have plenty of time to find what they’re looking for. So what’s the “golden rule” for IT security? Take proactive steps. Provide actionable cybersecurity information to end users. Know the signs of suspicious activity and how to report them. Immediately bring in help if there are signs of a breach – it may be broader and deeper than it seems.

Photo credit: Derek Gavey – License

Comment (1)

  1. Tom A

    Great piece, and very timely. We had the UC Cyber Risk Governance Committee meeting today on Oakland and this topic came up multiple times. Committee has provosts, CFOs, Administrators and CIOs on it and discusses broad topics of the cyber threats to the University

    Tom

    Reply

Leave a Comment

Your email address will not be published.