Data Security Hackers Are the Problem, Workers the Weak Point

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://ww2.cfo.com/data-security/2015/09/hackers-problem-workers-weak-point/

In the old days, “hackers” would hang out in bars across the street from
the plant or office at quitting time and make friends with the workers,
slowly learning and eventually stealing business secrets. Although this
tactic may still work, these days the hackers are hanging out in their
bedrooms and (with less time invested in the process) are making out with
bigger rewards by stealing security credentials and unlocking a treasure
trove of financial and health information.

Consider the following data breaches, all caused by phishing techniques:

- Target —70,000,000 customers, security credentials stolen from HVAC vendor
- eBay — 145,000,000 records, login credentials obtained from employees
- Sony — 47,000 records, fake Apple ID verification emails
- Anthem — 80,000,000 records, credentials stolen from five different
technical employees
- Excellus — 10,500,000 records, hackers gained unauthorized administrative
access
- Office of Personnel Management — 21,500,000 records, security credentials
stolen from contractor

But it’s not just the big guys that are falling prey. Smaller organizations
including Seton Healthcare Family, St Vincent Medical Group, and Partners
Healthcare have all been victims of similar phishing scams.

In other cases, known as “CEO fraud,” hackers send company emails to
employees ostensibly from someone in the C-suite asking for information or
authorizing a wire transfer.

Phishing techniques come in various forms (e.g., false links inside of
emails or advertising), but they always appear to be trustworthy. According
to the Anti-Phishing Working Group, phishers are able to convince up to
five percent of recipients to respond, but it only takes one employee
clicking on the wrong link to give away the keys to the kingdom.

Here are some tips that an organization can provide their employees to make
them more aware of phishing and other hacking techniques and how to
promptly report them:

- Do not open attachments or click on links from unknown sources.
- Before clicking through even known sources, hover your mouse over the
link to verify the site it’s leading to.
- Look closely at and verify the email address of a known person (help
desk, HR, etc.) requesting personal or security information. Better yet,
call the person to verify the request.
- Never provide security or account credentials to anyone.
- Do not open or reply to spam emails, even to unsubscribe, as this will
give the sender confirmation they have reached a live address.
- If you think something is suspicious, it probably is. Report it.
- Do not click on a link in an email from what appears to be your bank or
financial institution. Rather, type it in yourself or use the web browser
link that you normally use.

Organizations can do more to protect their information by:

- Establishing an email address for reporting suspicious emails.
- Following up on such reports by alerting the workforce.
- Implementing anti-spam software to stop suspicious emails from reaching
employees.
- Installing and keeping current anti-virus software to help detect and
disable malicious software.
- Using screen savers to reinforce messaging related to phishing scams.
- Implementing social engineering tests to identify untrained or
susceptible employees, including senior management.
- Installing firewalls and maintaining them with the latest security
patches.
- Monitoring activity, including unusual volume or access.

As in sports and war, the victorious are the ones with the strongest
defenses.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!