More than 90% of cyberattacks rely on social engineering
Threat actors leverage social engineering to gain access to privileged systems through people. No matter how much hardening a company does to its infrastructure, the “Human OS” remains the most hackable system of all.
Picnic’s blog is where we talk about the various attack vectors social engineers use, the magnitude of the data problem, and things you can do to protect yourself.
"Picnic’s blog is really a service to be taken advantage of. Enlightening and fun to read!" – @hristuccia
Picnic stops humans
REDTEAM RAW, EPISODE #2: Jean-Francois Maes on how he became a SANS Instructor and Offensive Cyber Security Expert (RedTeamer)
In the second episode of RedTeam Raw, Picnic’s Director of Global Intelligence, Manit Sahib, sits down with certified SANS instructor, author, researcher, consultant, and rock star RedTeamer Jean-François Maes, known on Twitter as @Jean_Maes_1994. Based in Belgium, Jean-François is the founder of redteamer.tips and is an avid contributor to the offensive security community. He is currently a security […]
RedTeam Raw, Episode #1: Marcello Salvati on how he became a leading Red Teamer (and Cyber Security Expert)
Marcello Salvati shares his perspectives on InfoSec, advice for those getting started in this space, how he got to where he is now, overcoming burnout and managing time, red team stories, and where he thinks InfoSec is heading over the next 10 years.
FOR LAPSUS$ SOCIAL ENGINEERS, THE ATTACK VECTOR IS DEALER’S CHOICE
Make no mistake about it, we are in a war that is being fought in cyberspace, and unfortunately companies like Okta and Sitel are collateral damage. Just as in a hot war, one of the most successful methods for countering insurgent attacks is to “turn the map around” to see your defenses from the perspective of the enemy. This outside-in way of thinking offers critical differentiation in the security-strategy development process, where we desperately need to change the paradigm and take proactive measures to stop attacks before they happen.
Think Like a Hacker to Stop Attacks Before They Strike
This type of exercise should be run continuously in good times and in bad. Digital footprints and employee populations are in constant flux, and so are attacker motives and methods. Building capacity for this type of capability will help build a security culture and create good operational security practices that should be the backbone of any security strategy.
Remember, hackers scout your organization to find an easy way in so they can compromise your people, your company, and your brand (in that order).
Picnic solves this problem at scale, so if you want to learn more about how to come upstream of the attack to stop hackers, please get in touch with us to schedule a demo.
How to sharpen your corporate social media policy for today’s threats
For any businesses, social media platforms can be a gateway to reaching larger audiences. However, they have also gained the attention of cyber-criminals who are more than willing to use them against you. Considering the average data breach costs companies in the U.S. $7.91 million, protecting company, customer, partner, and employee data cannot be understated. Businesses with a holistic social media policy in place will be in a better position to protect both their employees and organization against potential attacks.
We give up more data than we’ll ever know. While it would be nearly impossible, if not unrealistic, to shut down this type of collection completely, we need to rethink how much we unwittingly disclose to help reduce the risk of falling foul to cybercrime.
Cybercrime awareness is no longer enough to reduce risk
Security awareness training is a common corporate exercise – but is no longer enough to reduce risk. By empowering your employees to safeguard their own digital footprints – along with company data – you can start to develop really formidable foes to cybercrime.
Are we thinking about Surveillance Capitalism the right way?
There is no denying that we’re fundamentally willing to exchange some measure of privacy for convenience. We also know that steps, albeit baby ones, have and continue to be taken around privacy and the right to be forgotten. But we also need to acknowledge the bigger issue of surveillance capitalism: it is not immune to surveillance itself and the personal data that it reaps may put us all in danger.
How much control have we given up just to enjoy the digital life?
Today, the technologies behind websites that collect data have become very sophisticated. But this is a little like when cars first made an appearance. People stepped into these hulking, loud and very fast fun machines and there was absence of speed limits, seatbelts, and not even a thought of an air bag. It took many tragedies to change laws and promote the development of safety technologies to keep us safe. When it comes to the Internet, we are basically speeding down the highway, standing in the bed of a pick-up truck. It has been fun, but now is the time to start thinking about the parameters that will keep us safe. We are in need of digital seat belts and air bags to help minimize risk and misuse of our personal data.
Employees can be very wary of privacy, though at the same time may not be very aware of the vulnerability of their personal digital footprint. But everyone is susceptible to cyberattacks and the impact can be severe for both individuals and their employers. The perceived value of cybersecurity as an HR benefit will only increase with time – and with the preponderance of cybercrime. Prescient employers are making moves now to bolster their cybersecurity culture and offer a competitive benefit that will be attractive to employee candidates.
Social engineering may even be more dangerous in our pandemic-driven distributed work environments. Corporate and personal spheres overlap more than ever and can provide social engineer opportunists more footholds into our confidential lives – both private and corporate. Both individuals and corporate security leaders will do well to shift greater focus on vulnerability reduction to provide less opportunity to social engineers.
So how do we go about defending against cyber-attacks and improving the untrustworthy mind? The short answer is we don’t. As the age-old security acronym PICNIC suggests, the Problem exists “in the chair” and “not in the computer.” Across many different studies and the experiences of companies themselves, training methods that ask people to make conscious efforts to defend against social engineering cyber-attacks have been unsuccessful. If technological barriers don’t work and cognitive responses can’t be changed, then what is the answer? The solution requires addressing the condition that attracts the social engineer in the first place – data exposure. Companies that manage data exposure will reduce the attack surface, and thus, take the psychological advantage away from the social engineer.
Ransomware is a form of malicious cyberattack that uses malware to encrypt the files and data on your computer or mobile devices. As the name suggests, the cyber-criminals behind the malware then make demands for a ransom in order to release your data or access to your data.
Social engineering is a term that encompasses a broad-spectrum of notorious and malicious activities. The common, defining attribute is the ability to exploit the one weakness every person and organization has: human psychology. Instead of relying on programming and code, social engineering attackers use phone calls, e-mails and other methods of communication as their main weapon. They trick victims into willingly handing over either personal information, or an organization’s proprietary secrets and sensitive data.
Phishing attacks are a common and ever-present threat. Keep your security tight and never share personal details over email, phone, or in a message. You never know when you are exposing yourself to cyber attackers out there.
Modern-day fraudsters attempting to obtain sensitive information from a person or organization by posing as another person or a company online is known as phishing. They might be after your user information, such as passwords or usernames, or credit card and banking information. Employers should also be concerned as fraudsters have been known to steal sensitive or damaging information from employees or gain control of an entire company’s software.