By Aaron Oliver
Over the past year cyber security has been thrust to the forefront of cyber related news as there have been several worldwide attacks in the form of malware and ransomware. Most recently the "WannaCry" outbreak that paralyzed thousands of companies’ systems was talked about by every news organization on the planet. But there is another very common cyber threat that you don’t hear about as often, it is responsible for millions of systems being compromised and is often how some of these global events get started. It’s called “Social Engineering”.
Social engineering can take many forms and can be employed in several different ways. An attacker may call and pretend they are with your IT team and ask for information or for remote access to your employees’ systems. Once they gain access to a system attackers can deploy programs that will allow them to log back in later for more investigation into how the network is setup or do malicious things. Another way attackers use social engineering is by targeting email addresses of people in the company at different levels. Attackers pretend their email is from a legitimate vendor, partner, or other trusted entity such as Microsoft. These emails will often have attachments which when opened will launch malicious code that will deploy malware or another type of malicious program to a user’s system.
For social engineering to be effective and have your users take the bait, attackers will likely learn as much about your company as they can from public sources so their rouse can be believable at a first glance whether that be on the phone, email, or even in person! There are hundreds of ways attackers can target your company and get information, but there’s a low hanging fruit an attacker will use first: your website.
Your website is one of the first things an attacker is going to scour for information on where/how to attack your company. A lot of companies feel the need to introduce their upper management, boards of directors, or directors of individual departments on their website. This is a treasure to a would-be attacker. Some companies go a bit further and list the direct phone line and the email addresses of these individuals. In other cases, companies will list their entire employee directory on their websites, and that is just asking for trouble.
We understand the need or the want to offer transparency to your clients or potential clients, but you must weigh the security risks. When an attacker searches the entire site – or crawls – your company website, and they see the IT director’s name, or the director of finance or accounting, it arms them with names of people within the organization to use in their rouse. That attacker could then call anyone in the company and say they are an IT technician working for “IT director’s name” and are installing new software on the computers of everyone in the accounting/finance departments at the request of “accounting director’s name”. Once they establish a bit of trust with the targeted employee they can get a remote session and do almost anything within the network. Another tactic is an attacker will send out an email posing as one of these directors to get everyone in a company to open it, or pose as a vendor or partner listed on the company’s website to get someone to click an attachment. Once again, game over and the attacker has access.
These types of attacks are happening every day all over the world. Removing names and email addresses from your company website may prevent an attacker from having all the information they need to start an attack. While this is not going to stop all attacks, it will certainly make a would-be attacker work a little harder to obtain this information. It is also important to educate all the employees on the proper way to respond to inquiries from their IT staff or support personal and to know the different ways in which their support staff would be contacting them. With proper training, employees will not allow just anyone to log into their system.
Aaron Oliver is a Senior Network Engineer at ThrottleNet