The Best Defense Is a Good Offense
By Sean Hogan
In a recent study, Stanford University and a top cyber security organization found that more than 85% of all data breaches are caused by human error. The standard practice for prevention of breaches is enabling tools to detect and prevent breach attempts.
Most breaches are prevented with tools such as anti-virus, spam filtering, and edge protection. But what about the attempts that slip through these defense systems? That’s where education comes in to play.
Cyber criminals are constantly evolving and changing their methods for cyber-attacks. The best software and security tools can eliminate many of the known attack methods but there is no company, security, or software package that that can claim 100% success for eliminating threats. The game is constantly changing, and to keep up with unknown threats and techniques it is critical that we all educate and train ourselves to be hyper vigilant when it comes to cybersecurity.
“In a recent study, Stanford University and a top cyber security organization found that more than 85% of all data breaches are caused by human error.”
It is critical to teach your staff about cyber-attacks. I tell my clients to always question everything; if you aren’t expecting an email with a drop box link, then don’t open it, and certainly don’t click the link. Hackers have upped their game when it comes to disguising malicious content. Hackers will use credentials from sources on the dark web, and the more thorough hacker will do some social engineering and gather information about the targets on public websites and social media platforms.
The more believable they are, the more effective they can be. I recommend scanning tools to alert companies whenever there are credential breaches that have appeared on the dark web. This will allow security teams to know when credentials have been breached, where credentials were breached, and who will provide the credentials. These tools will reveal passwords, password policies, or lack thereof.
Common passwords are one of the easiest low hanging fruits to be used by hackers. Let’s pretend you use your business email to log into an online app like Uber. If Uber is breached, the hackers will have access to your Uber password, but if you use that same password or a similar password elsewhere, like in your banking app, the hacker can use scanning tools and password-hacking tools to easily get into your other accounts. The object is to make it as hard as possible to breach your accounts; don’t make it easy for a junior hacker to wreak havoc.
We recently had a client forward us an email that he thought might be a phishing attack. All the details were accurate, everything was spelled correctly. The ‘sent from’ address had one difference, it was sent from a registered .net domain not the company’s legitimate .com address. Other than that, everything was accurate. The hacker had the wherewithal to create a domain and register that domain as a .net. (Lesson learned, reserve all similar URL’s to prevent this from happening!)
This one example was a sophisticated attempt to convince the client to create a wire transfer; the client now has a policy of triple-checking and confirming any transactions with multiple steps.
The best way to teach your staff about attacks is to create a fake phishing attack. We create and run fake attacks to our staff and our clients. We have a library to choose from, and we can simulate a bank request, a Netflix credential reset, a credit card alert just to name a few. These attacks mimic real attacks. The recipient reactions are tracked, and reports are made available after the campaign has expired.
The email is delivered (allowed on purpose past our filters), the recipient can open, click, and provide data. We call this the trifecta! Normally opening an email is not malicious by itself; clicking the link can activate embedded malware. If a recipient does take the bait, then the training software will automatically play an educational video that teaches that staff how they were fooled and what to look out for in the future.
When the campaign has ended the results are tallied in a report. The report will tell you how many opens, clicks, and credentials. The report will also indicate whether the end-user sat through the educational video. This is a great tool to use from a cybersecurity perspective. Teach your staff, install best-in-class edge protection, spam filtering, end-point protection, anti-virus, dark-web scanning, and backup. Overall, don’t overlook the most important step: Promote awareness and create a strong anti-cyber culture in your office.
Sean Hogan is president of Hogan Technology Inc.; www.teamhogan.com; (413) 779-0079.