|Image credit: Unsplash|
More and more often cybercriminals target office staff, knowing full well that people are the weakest link in the corporate protection systems. Today we'll discuss mistakes in information security made by office workers, and how to avoid becoming an unwitting accomplice to hackers in compromising company infrastructure.
Carelessness when following a link
According to Positive Technologies research, the most efficient method of social engineering in attacks targeting company staff is an email with a phishing link. The study showed that 27 percent of users followed such links.
Employees are often careless when reading the URL address of a link in a message. Attackers can register domain names similar to those of well-known organizations or partners of a specific company. Often the only difference is one or two symbols in the address.
They use this address to create a fake site that looks like a legitimate web page. When a careless user gets on that site, he or she may provide data that can be used in a successful attack on the user's company—such as login and password for entering corporate IT system. An antivirus can block malicious attachments, but there's no protection against a user who willingly discloses his or her password.
Solution: users must be vigilant and think before following links received in the mail. Make sure you check the sender of the letter, see if you are really the intended recipient, verify if the URL in the message matches the address of the company actually owning the site. If in doubt, don't follow the link.
Downloading suspicious files
Another common method of penetrating corporate infrastructure is sending messages with malicious attachments. When someone downloads and opens such a file, it installs a virus or a backdoor on the victim's computer, which gives the attacker full access to the computer and he or she can use it as a foothold to further infect the infrastructure.
Attackers play on fear, greed, hope, and other emotions to improve the efficiency of their attacks. So in the subject line of their message they use words like "list of staff to be discharged" or "annual bonus payment". Curiosity as to how much a colleague earns or fear of getting fired can be a powerful thing causing one to forget basic security rules. In an experiment conducted by Positive Technologies, almost 40 percent of mock phishing emails with "layoffs" in the subject line spurred users into taking a potentially dangerous step.
Users who received a suspicious file in a message not only open it, but often forward the message to colleagues (for instance, from IT department). Since the colleagues know the forwarder, they also open the file, and as a result the virus quickly spreads through the company infrastructure.
Solution: just like with phishing links, you can counter emails with malicious attachments by staying as vigilant as possible. Never download and run files from unknown senders, now matter how intriguing the file name may sound. Don't ignore antivirus warning messages, either.
Carelessness when speaking on the phone
It turns out that Internet attacks are not the only way attackers can fool gullible office staff. Often intruders use a phone call as a means of social engineering. Attackers call company staff, posing as colleagues from IT support, for instance, and elicit sensitive information or force the person to take an action they need to launch an attack.
A classic example is a call early on Sunday morning requesting someone to immediately get to the office. Few people would be happy to go, they may not even be able to, and then the caller suggests they simply give their password so that an "expert" takes care of everything. Many people are happy to oblige.
Solution: under no circumstances provide confidential data over the phone. If "someone from IT department" calls you and asks for your password, this should be enough to raise suspicion, because in reality IT staff do not need to get this information from the user in order to do their job.
Use of public Wi-Fi networks for work
Another popular way of stealing confidential user data is using a public Wi-Fi networks. Attackers can create a "lookalike" of popular public networks operating in the vicinity of the company's office.
Names of such fake access points usually sound like legitimate ones. If a user's device is set to connect automatically, it is very likely to connect to this fake access point. If the employee uses his or her cell phone for work or sends important data from it, the attackers can get that data.
Solution: avoid using public Wi-Fi networks to connect to corporate resources without VPN. If, for whatever reason, you can't use VPN, but you really need to log on right now, make sure the target access point uses WPA/WPA2 encryption. If it does, your device should display a message when you connect.
Insecure password storage
An attack is not always launched from the outside. In many cases confidential data is stolen by an internal attacker. According to a study by Positive Technologies, 100 percent of such attacks result in full control over the network. Employees contribute to that by incorrect handling of passwords. Recently many companies have implemented password security policies requiring the users to change their passwords regularly and make them complex enough. But many people don't want to memorize a complex password. Often they write it down on a paper and keep it next to their computer. In this case the attacker easily gets access to the employee's account.
Solution: never keep passwords in cleartext. If you want to write down a password, use the method suggested by Bruce Schneier, where instead of your password you write down some clues which will help you recall it.
Human factor is one of the main issues in ensuring security of corporate systems. More and more often attackers choose to slip into the corporate network by attacking the employees, rather than hacking into the infrastructure directly from outside the perimeter.
To prevent attackers from getting inside your company's infrastructure, follow the basic information security rules. Do not follow suspicious links, be careful when downloading email attachments, don't provide important information over the phone, and don't store passwords in cleartext.