It has been reported that the Department of Veterans Affairs notified veterans Monday morning of a data breach that resulted in the exposure of 46,000 veterans’ personal information. This breach took place when an unauthorized users tries to access an application within the Financial Service Center (FSC) to steal payment. The techniques used by the attacker are “Social engineering” and “exploiting authentication protocol” in order to gain access to the system. Cybersecurity experts reacted on this news below.
Threat actors like to prey on the vulnerable as they are perceived as low hanging fruit. We all like to think that we’re not susceptible to social engineering or manipulation, but the truth is that even cautious, intelligent, self-aware people get caught up in online scams, which can have very damaging consequences. This is simply because the cybersecurity education available still isn\’t enough, so people will continue to be fooled due to a lack of awareness. Older people tend to be even more trusting, which means they are less likely to spot a scam.
This stolen data is likely to be used in conjunction with targeted phishing scams to target veterans on the list. Those affected will require training to understand what to look for in the phishing emails that will be inevitably sent. It’s also important to inform those at risk of the potential harm that could be caused, what to do next, and how to remain protected moving forwards.
Disgusting is how I would categorise this latest reported hack of the Department of Veterans Affairs. Is there no longer honour among thieves? Their behaviour in this time of crisis is despicable and disgusting. Today, new security threats are surfacing on a regular basis and cyber crime groups are not only well funded but they are patient and persistent. If they have their sights set on one particular company or organisations, nothing will stop them from being successful. The defenders or good guys have to be right 100 percent of the time and that is a monumental task given the expanding digital footprint. From initial reports it looks like the VA is conducting a thorough investigation into this latest breach and that\’s great news.
For the VA, and all organisations, it is essential to implement around the clock threat hunting services and to take the fight to the cyber criminals. This approach will enable security teams to see attacks as they are happening allowing them to stop them. In addition, all organisations should regularly conduct security awareness training to help employees do their part to reduce risk. At a basic level, never open email attachments from unknown sources on any device, don\’t visit dubious websites and never download content onto your device from sketchy sources.
Social engineering is a very common attack strategy which threat actors use to gain access to applications or systems within a corporate network. At Synopsys, based on our security assessment services, we have found that at least one person will always fall for our social engineering attempts. To prevent a successful attack, there are several compensating controls an organisation can put in place. To start, any sensitive applications should have access restricted to the internal corporate network or VPN endpoints. This will prevent an attacker from logging in from anywhere on the internet. If, for business reasons, these applications must be public facing they should be secured with multi-factor authentication to prevent any compromised credentials from being used. Lastly, organisations should conduct regular social engineering assessments against their staff to raise awareness around social engineering threats, thus reducing the chance of a successful attack.