Despite what movies might show, most hacks don’t involve frantic typing or brute-force attacks. In fact, Verizon’s “2017 Data Breach Investigations” report revealed that 90 percent of successful hacks aren’t hacks at all: They’re social engineering.
Simply put, social engineering is about manipulating people rather than computers. Modern hackers have discovered that it is easier to ask for data than it is to take it by force. These manipulators continue to trick everyone from secretaries to CEOs into giving up passwords, network access, and everything else they want. To safeguard against hacking, cloud service providers don’t need stronger firewalls; they need to learn how to protect themselves from human-to-human deception.
What Do Hackers Want?
Social engineers have different goals, but these hackers generally have one of two motivations: Some do it for personal profit; others commit intellectual property theft as state-sponsored actors.
The first group of social engineering hackers gain access to personal data (like credit card and Social Security numbers) to sell on the dark web. Last year, NBC News reported that breaches for personal gain are on the rise, especially those targeting Social Security numbers, which means hackers are getting more comfortable using this type of strategy.
But don’t discount the second group: state-sponsored hackers. Private companies might not feel as threatened by social engineers working on behalf of other governments, but they should. The Equifax breach appears to be the work of state-sponsored Chinese professionals, according to the Chicago Tribune. And, of course, the social engineering activities of hackers sponsored by Russia are well-documented. In Verizon’s report, 94 percent of the 620 breaches in the manufacturing sector last year qualified as espionage. Any company with intellectual property that can be stolen or copied should be wary of attacks from foreign agents.
How to Stop Social Engineers
Companies in every industry should fear the ramifications of a successful breach. Hackers typically target companies in financial services, government, healthcare, and retail, but they’re opportunistic above all else. If a company doesn’t protect its data well, hackers will eventually discover the weaknesses and take what they want. Usually, though, they won’t bother trying to force their way in — they let their victims do the work for them.
Social engineering takes many forms. Hackers send mass emails to businesses, leave USB drives in parking lots, send physical media in the mail, and make phone calls pretending to be other people. Even if they fail 99 percent of the time, their occasional successes provide all the incentive they need to keep going.
To protect your company against social engineering, follow these tips:
- Inventory data assets, and restrict access appropriately.
If you don’t know where your information is, you can’t protect it. Start your protective measures by identifying and classifying all the data you store. Don’t forget the data your users store in spreadsheets and Word documents. This isn’t just about your production databases.
Start by asking yourself the same questions a hacker might ask: What happens to customer data after you receive it? Where do you store sensitive intellectual property, and who has access to that information? If hackers want to get your financial records or product designs, who would they need to trick into giving it to them?
Classify that data by tiers ranging from highly sensitive to totally public. Customer data and intellectual property deserve the strictest security. After you complete your review, set a schedule to reassess these data flows at regular intervals to plug potential leaks before they happen.
- Require multifactor authentication.
According to the Verizon report, 81 percent of hacks involve weak or stolen passwords. In fact, Deloitte suffered such a breach that could’ve been easily avoided. After hackers got the password to an administrator’s account, they logged in and stole data from an email server. If that administrator had implemented MFA, the hackers would have been stumped.
Require anyone with access to sensitive data to use MFA on all company accounts. Text messaging is the most common MFA technique, and while this method isn’t totally secure, it’s better than nothing. Soft tokens, like push notifications, are a stronger option. For administrators with the keys to the kingdom, require a hard token (like a USB drive) that guarantees that the person entering the password has the right to do so.
- Use communication media with end-to-end encryption.
Encrypt data both when it’s stored and as it transfers from one place to another. This end-to-end encryption ensures hackers can’t actually use any data they manage to grab.
Use end-to-end encryption on everything from customers’ credit cards to employee emails. Microsoft recently introduced end-to-end encryption into Outlook, allowing users to shield their emails from would-be attackers and prevent unintended parties from gaining access to sensitive information.
- Create a culture of security.
Ultimately, the most important line of defense in data protection comes down to the social engineers’ targets: employees. By now, most people know that those Nigerian princes aren’t real, but not everyone knows how to spot a well-crafted hacker persona. For example, UC Davis Health suffered a breach last year when a hacker impersonated an employee through email and proceeded to access to the university’s health data.
Regularly educate employees on evolving phishing tactics. Talk to employees in different roles about how people might approach them to ask for illegitimate access. Remind workers about the importance of internal security, and help them easily report suspicious requests.
These tips will help you safeguard your organization against social engineers. However, if someone still manages to access your data, don’t try to hide it — contact local FBI agents immediately. Your data can’t be “unhacked,” but you might be able to stop the hackers before they do any more damage.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.