The average person thinks that companies get hacked by super hackers with amazing knowledge on computer systems and can break encryption by staring at jumbled code like John Forbes Nash Jr. in the movie, A Beautiful Mind.
It may be true, but more often the truth is, though the super hackers are pretty darn smart with the computer and with networks, they can’t decrypt encryption by staring at it, most have stopped trying to port scan public facing IP addresses and running metasploit and using an exploit if they find a vulnerability. Edge devices are run by IT professionals who work with security and are reviewed often through regulatory compliance and audit. Hackers are now attacking the weakest link: The employees and contractors!
Employees and contractors are known to:
- Click on phishing emails
- Fall for fake phone calls
- Use weak passwords
- Use Free Public WiFi
- Over-share Publicly on Social Media (and having too many friends)
- Moving work data to their personal cloud storage
- Not encrypt when appropriate
Phishing emails might contain attachments of viruses, but those are usually caught in the email gateway, so the bad guys have evolved and use links or linked pictures that once clicked on, bring the victim to a familiar cloned website (like Facebook) where they try to log in, and bam, the credentials are stolen and the user is redirected to the “oops, you must of mistyped your password” page.
Fake phone calls are quickly becoming popular, as the bad guys pretend to be from a place of authority, let’s say the FBI doing an investigation, or technical support. The walk the user through changing their password or downloading something that will open a connection for the bad guys to virtually walk through.
Weak passwords are so very common, we as people like to remember easy stuff and the more complex the password, the harder it is for us to log in and get access to our digital stuffs. People keep passwords easy, but that makes it easier for bad guys to guess them.
Free Public Wifi is not always excellent customer service from a store, password sniffers or rogue access points will allow attackers to capture all data transmissions.
Over-Sharing on social media leads to interesting information gathering. Employees as customers to Facebook will put in their company and often vent about their organizational structure (their boss) and talk about their day, giving viewers/researchers/bad guys a good understanding of the operational stance. Link this sin with phishing emails or fake phone calls, allows the bad guy to play a convincingly legitimate person who can ask for bank transfers or access to confidential systems.
Personal cloud storage is mighty convenient and the new Microsoft Office even allows you to directly write to OneDrive, or Google Docs storing everything in Google Drive. Control gets lost easily over confidential data. Cloud storage is also constantly under attack and so are the administrators in hopes that they themselves commit some of these sins. Cloud storage does contain potentially millions of users data and is a target rich environment.
Not encrypting where appropriate might be a little bit of a hassle, but there are solutions where you can set it and forget it… and nowadays it seems that it is always appropriate.Encryption is not a new concept, there are also thousands of ways to encrypt your data. Like I started this post with, I doubt there are bad guys who can stare intently at encrypted data and figure it out.
The best defense against these attacks is through education and awareness.