An electric utility company takes cybersecurity beyond the perimeter

The challenge


This client, like most utilities, possesses a strong culture of safety and a similar commitment to security. As a utility, it also operates in one of the 16 sectors designated by the US Cybersecurity and Infrastructure Security Agency (CISA) as part of the United States’ critical infrastructure. This means that the organization faces a specific set of requirements, which include disciplined cybersecurity practices.

Traditional cybersecurity has focused mainly on the internal environment and on data layers within the organization. For that reason, the organization sought a solution that expanded the purview and practice of cybersecurity beyond its walls. Management felt the need to identify and address vulnerabilities in the data “out there,” where more than 90% of cyberattacks now originate.

They also wanted an external perspective to support an outside-in approach to security. They wanted to know how malicious actors could gather information about users to mount an attack on the company. What could those actors find on social media profiles and what messages could they use to launch socially engineered attacks? What could they learn about the organization’s hardware and software and its methods of authentication? What could they learn about its supply chain: What products does it buy? From whom does it buy these products? How does it pay its vendors? What could attackers learn about the leadership team, the Board, employees, investors, and other stakeholders that would make the organization vulnerable to attacks?

Another goal was to broaden the conversation about cybersecurity within the organization. Given the exposures that can be unwittingly created by users with legitimate access to the organization’s systems, leaders had come to see that cybersecurity is everyone’s responsibility. They also wanted to go beyond simply training and coaching people on how to “be careful” when using their laptops and devices; they wanted easy-to-use tools to support users’ efforts to keep systems secure.

Before learning about Picnic, the security team had worked to understand which publicly available data could create vulnerabilities and, to address reputational risk, what people were saying about the company. Yet these efforts were ad hoc, such as monitoring social media feeds, and they employed few tools, such as customized scripts and open-source tools. They wanted to harness data science to see across the internet and to identify the controls they really needed to have in place.

In sum, the security team realized that their environment lacked a defined perimeter, which meant that firewalls, endpoint protection tools, and role-based access controls could no longer provide the needed level of security.

The solution

Picnic provided both ease of enrollment for employees and tools that enabled employees to easily remove publicly available data on themselves.

Picnic’s capabilities let a user simply agree to be deleted from multiple sources of public data gathering, which Picnic handled for both the user and the organization.

The Picnic Command Center enabled analysts from the security operations team to seek out types of data that expose the organization to risk. That, in turn, positioned the team to educate employees about ways in which an attacker could use a particular type of information against themselves or the company. This created a clear division of responsibility: The organization flagged the risks while the employees controlled the data they deleted or left up.

The organization presented Picnic as a benefit to employees, which it is. Although other identity protection tools are presented that way, they are primarily geared to post-event remediation. In contrast, Picnic enables each employee to identify and deal with their publicly available data in private, so they can lower their individual risk, and by extension risk to the organization. Each employee gets to make changes dictated by their own preferences rather than their employer’s. With information from Picnic, they were able to, for example, adjust the privacy settings on their social media accounts so that only specific family members and friends can view them. Whatever steps they took reduced their exposure to attack—a benefit to them and to the organization.

Clear and consistent communications during rollout clarified both the rationale and use of the tools. Integration with the organization’s existing technology was straightforward, with Picnic tools fitting readily into existing solutions. The client/Picnic team took an agile approach to both the development methodology and operational implementation.

The impact

Picnic has assisted the security staff in identifying vulnerabilities and assisted employees in monitoring and limiting their risk exposures. The tools have provided protective controls for employees while minimizing extra steps and added work on their part. It has also helped the security staff to more effectively identify where potential threats might originate and the various forms that attacks could take.

Yet the impact of Picnic extends beyond what the platform itself does. It has enabled the security staff to launch a broader and deeper conversation about cybersecurity at the organization. This has created the opportunity to better understand, explain, and contribute to the organization’s culture of security. The security staff does not usually use the term “culture of security” with employees but the leadership team discusses it and works to create that culture. Picnic has accelerated that effort.

Picnic has also reduced burdens on the security team. It has helped to establish that everybody needs to maintain high awareness of how their social media settings or internet presence create risks. By their nature, the tools dramatically increase employee engagement in cybersecurity in ways that training sessions or video tutorials cannot.

The Picnic toolset has delivered capabilities that allow security staff to see risks outside of their corporate walls and to mitigate them. The security team can now not only alert users to the risks they face; they have also initiated new controls, such as multi-factor authentication on items that could be of use to an attacker. They have added new controls over remote access and other attack vectors where an attacker could access personal information from a data log or a compromised website. The organization is also using password reset tools that make users’ lives easier, while increasing their efficiency and effectiveness.

While no single solution can eliminate every data security issue, Picnic has broadened the organization’s view of its threat landscape and positioned it to better address risks. It has also reduced its attack surface, broadened the conversation about cyber risk and security, and delivered increased security to employees and the organization. This has occurred in the context of Picnic’s sound and sustainable methodology, process, and program for identifying and addressing social engineering threats.

1 https://www.cisa.gov/critical-infrastructure-sectors

REDTEAM RAW, EPISODE #2: Jean-Francois Maes on how he became a SANS Instructor and Offensive Cyber Security Expert (RedTeamer)

In the second episode of RedTeam Raw, Picnic’s Director of Global Intelligence, Manit Sahib, sits down with certified SANS instructor, author, researcher, consultant, and rock star RedTeamer Jean-François Maes, known on Twitter as @Jean_Maes_1994. Based in Belgium, Jean-François is the founder of redteamer.tips and is an avid contributor to the offensive security community. He is currently a security researcher at HelpSystems where he aids the Cobalt-Strike team in developing new features.

We discuss how he got into InfoSec and became a SANS instructor; the difference between pentesting, Red Teaming, and Purple Teaming; the most common ways of gaining a foothold as a RedTeamer; a RedTeam story with flowers from Jean-François; his tool Clippi-B; how he manages his time; motivations and resources for becoming a hacker; advice for getting into the industry and being able to stand out; Jean’s biggest challenge at the moment, and where he sees the industry going.

Like and subscribe for future episodes of RedTeam Raw here: https://www.youtube.com/channel/UCVn3…

FOR LAPSUS$ SOCIAL ENGINEERS, THE ATTACK VECTOR IS DEALER’S CHOICE

By Matt Polak, CEO of Picnic

Two weeks ago, at a closed meeting of cyber leaders focused on emerging threats, the group agreed that somewhere between “most” and “100%” of cyber incidents plaguing their organizations pivoted on social engineering. That’s no secret, of course, as social engineering is widely reported as the critical vector in more than 90% of attacks.

LAPSUS$, a hacking group with a reputation for bribery and extortion fueled by a kaleidoscope of social engineering techniques, typifies the actors in this emerging threat landscape. In the past four months, they’ve reportedly breached Microsoft, NVIDIA, Samsung, Vodafone and Ubisoft. Last week, they added Okta to the trophy case.

For the recent Okta breach, theories abound about how the specific attack chain played out, but it will be some time before those investigations yield public, validated specifics. 

As experts in social engineering, we decided to answer the question ourselves—with so many ways to attack, how would we have done it? Our thoughts and findings are shared below, with some elements redacted to prevent malicious use.

How Targeted was this Social Engineering Attack?

To start, we know that Okta’s public disclosure indicates the attacker targeted a support engineer’s computer, gained access, installed software supporting remote desktop protocol (RDP) and then used that software to continue their infiltration:

“Our investigation determined that the screenshots…were taken from a Sitel support engineer’s computer upon which an attacker had obtained remote access using RDP…So while the attacker never gained access to the Okta service via account takeover, a machine that was logged into Okta was compromised and they were able to obtain screenshots and control the machine through the RDP session.”

For attackers to successfully leverage RDP, they must:

  1. Be able to identify the location of the target device—the IP address.
  2. Know that the device can support RDP—Windows devices only.
  3. Have knowledge that RDP is exposed—an open RDP port is not a default setting.

Let’s take a look at each of these in more detail: 

How Can an Attacker Identify Target Devices to Exploit RDP? 

Sophisticated attackers don’t “boil the ocean” in the hope of identifying an open port into a whale like Okta—there are 22 billion connected devices on the internet. In fact, LAPSUS$ is a group with a history of leveraging RDP in their attacks, to the point that they are openly offering cash for credentials to the employees of target organizations if RDP can be installed—quite a shortcut. 

Putting aside the cultivation of an insider threat, attackers would rightly assume a company like Okta is a hard target, and that accessing it via connected third parties would be an easier path to success.

Our team regularly emulates sophisticated threat actor behaviors, so we started by mapping the relationships between Okta and different organizations, including contractors and key customers. Cyber hygiene problems are often far worse for large organizations than individuals, and our methods quickly uncovered data that would be valuable to threat actors. For example, Okta’s relationships with some suppliers are detailed here, which led us to information on Sitel / Sykes in this document. Both are examples of information that can be directly weaponized by motivated attackers.

Two killer insights from these documents:

  1. Sykes, a subsidiary of Sitel, provides external technical support to Okta. 
  2. Sykes uses remote desktop protocol as a matter of policy.

This information makes an attacker’s job easier, and would be particularly interesting to a group like LAPSUS$—an RDP-reliant contractor with direct access to Okta’s systems is a perfect target.

Recon 101: Exploit Weak Operational Security Practices

With a target company identified, we ran a quick search of LinkedIn to reveal thousands of Sitel employees discussing different levels of privileged access to their customer environments. These technical support contractors are the most likely targets of attacks like the ones catching headlines today. Despite the investigation and negative publicity associated with this attack, more than a dozen Sitel employees are still discussing privileged access in the context of their work with Okta (nevermind the dozens of other companies). 

Now that we have defined this group, our focus narrows to deep OSINT collection on these individuals—an area where Picnic has substantial expertise. OSINT stands for open-source intelligence, and it is the process by which disparate pieces of public information are assembled to create a clear picture of a person’s life, a company, a situation, or an organization. Suffice to say that our standard, automated reconnaissance was sufficient to craft compelling pretext-driven attacks for most of our target group. 

To cast this virtual process in a slightly different light, imagine a thief casing your neighborhood. Good thieves spend weeks conducting reconnaissance to identify their targets. They walk the streets and take careful notes about houses with obscured entryways, unkempt hedges, security lights and cameras, or valuables in plain sight. 

Social engineers are no different: they are essentially walking around the virtual world looking for indicators of opportunity and easy marks.  

Before we explore how to go from reconnaissance to the hardware exploit, let’s recap:

  1. We are emulating threat actor behaviors before Okta’s breach.
  2. We conducted organizational reconnaissance on our target: Okta.
  3. We identified a contractor likely to have privileged access to the target: Sitel.
  4. We narrowed the scope to identify people within Sitel who could be good targets.
  5. We further narrowed our focus to a select group of people that appear to be easy targets based on their personal digital footprints.

All of this has been done using OSINT. The next steps in the process are provided as hypothetical examples only. Picnic did not actively engage any of the identified Sitel targets via the techniques below—that would be inappropriate and unethical without permission. 

Identifying the Location of the Device for RDP Exploit

There are three ways that attackers can identify the location of a device online: 

  1. Pixel tracking
  2. Phishing
  3. OSINT reconnaissance

Just as we conducted OSINT reconnaissance on people and companies, the same process is possible to identify the location of the target device. By cross-referencing multiple sources of information such as data breaches and data brokers, an attacker can identify and leverage IP addresses and physical addresses to zero in on device locations. This is always the preferred approach because there is no risk that the attacker will expose their actions. 

Pixel tracking is a common attacker (and marketer!) technique to know when, and importantly where, an email has been opened. For the attacker, this is an easy way to identify a device location. Phishing is similar to pixel tracking: a clicked link can provide an attacker with valuable device and location intelligence, but pixel tracking only requires that an image be viewed in an email client. No clicks necessary. 

Pixel tracking and phishing are examples of technical reconnaissance that were more easily thwarted pre-COVID, when employees were cocooned in corporate security layers. With significant portions of knowledge workers still working at home, security teams must contend with variable and amorphous attack surfaces.

For social engineers, this distribution of knowledge workers is an asymmetric advantage. Without a boundary between work-life and home-life—the available surface area on which to conduct reconnaissance and ply attacks is essentially doubled.

Social engineering’s role in the RDP exploit

According to Okta’s press release, an attacker “obtained remote access using RDP” to a computer owned by Sitel. Based on threat actor emulation conducted by our team and the typical LAPSUS$ approach, it is clear that social engineering played a key role in this attack, which was likely via a targeted spear phishing campaign, outright bribery, or similar delivery mechanism, which would have provided attackers not only with device location information needed for the RDP exploit, but also important information about the device and other security controls. 

Remember that social engineers are hackers that focus on tricking people so they can defeat technical controls. Tricking people is easy when you know something personal about them—in fact, our research indicates attackers are at least 200x more likely to trick their targets when the attack leverages personal information. 

The amount of time, energy, and resources required to complete this reconnaissance was significant, but it was made easier by the two key documents found during our initial recon on the target. While there are other breadcrumbs that could have led us down the same path, many of those paths offered less clear value, while these two documents essentially pointed to “easy access this way.” Finding these documents quickly and easily means that hackers are likely to prioritize this attack path over others—the easier it is, the less time and resources it consumes, and the greater the return on effort. 

Key learnings for cyber defenders

Recognize you are at war. Make no mistake about it, we are in a war that is being fought in cyberspace, and unfortunately companies like Okta and Sitel are collateral damage. Just as in a hot war, one of the most successful methods for countering insurgent attacks is to “turn the map around” to see your defenses from the perspective of the enemy. This outside-in way of thinking offers critical differentiation in the security-strategy development process, where we desperately need to change the paradigm and take proactive measures to stop attacks before they happen. I wrote another short article about how to think like an attacker that might be helpful if you are new to this approach.

Be proactive and use MITRE—all of it. The prevailing method used by cyber defenders to map attacker techniques and reduce risk is called the MITRE ATT&CK framework. The design of the framework maps fourteen stages of an attack from the start (aptly called Reconnaissance) through its end (called Impact)—our team emulated attacker behaviors during the reconnaissance stage of the attack in this example. Cyber defenders are skilled at reacting to incidents mainly because legacy technologies are reactive in nature. MITRE recommends a proactive approach to remediating the reconnaissance stage to “limit or remove information” harvested by hackers. Defenders have an opportunity to be proactive and leverage new technologies that expand visibility and proactive remediation beyond the corporate firewall into the first stage of an attack. Curtailing hacker reconnaissance by removing the data hackers need to plan and launch their attack is the best practice according to MITRE. 

Get ahead of regulations. Federal regulators are also coming upstream of the attack and have signaled a shift with new SEC disclosure guidance, which requires companies to disclose cybersecurity incidents sooner. Specifically, one key aspect of the new rule touches on “…whether the [company] has remediated or is currently remediating the incident.” New technologies that emulate threat actor reconnaissance can make cyber defenders proactive protectors of an organization’s employees, contractors, and customers long before problems escalate to front page news. These new technologies allow companies to remediate risk at the reconnaissance stage of the attack—an entirely new technology advantage for cyber defenders. 

Every single attack begins with research. Removing the data that hackers need to connect their attack plans to their human targets is the first and best step for companies who want to avoid costly breaches, damaging headlines, and stock price shocks.

How to sharpen your corporate social media policy for today’s threats

Using social media is, without a doubt, one of the most popular online activities that internet users engage in. Businesses have also discovered how to leverage social media to create opportunities for their brands. However, the use of these platforms has also created many risks. Not only can a bad social media post spiral into a full-blown PR crisis, but social media has become a data channel that cybercriminals exploit regularly to steal sensitive corporate information or cause huge reputation damage. Many businesses create a social media policy for their organization but often don’t understand how to fully protect themselves.

The Social Media Policy

It is said that 3.96 billion people and 88% (and rising) of companies currently use social media platforms worldwide. Despite its high usage, social media culture is still relatively new territory for both employers and employees. Businesses have recognized that unwise social media can create detrimental outcomes, but the social media policies these companies develop show a level of naivete when it comes to understanding risk.

The corporate social media policy is often a document that resides in a company’s intranet rarely unchanged from the date of inception. It is often a standard practice to include the social media policy at point of employee on-boarding as part of the contractual process between employee and employee. Typically, the contents of the policy are centered around the do’s and don’ts of employee usage, regulatory or compliance obligations and will explain expectations in terms of employee conduct online. For example, Dell Global’s Social Media Policy is reported to be as follows:

  1. Protect Information
  2. Be Transparent and Disclose
  3. Follow the Law, Follow the Code of Conduct
  4. Be Responsible
  5. Be Nice, Have Fun and Connect
  6. Social Media Account Ownership

The overall goal is to set expectations for appropriate behaviour and ensure that an employee’s usage will not expose the company to legal problems or public embarrassment.

The example policy is also remarkably vague. There are probably a couple of reasons for this. Today’s HR departments are very sensitive to employee privacy concerns. There may be a reluctance to lay down specific rules for behaviour that may seem subjective and intrusive.

However, there is a difference between something that is embarrassing and something that is dangerous. Many companies like this are clearly not concerned about network security implications and how employee actions online may compromise both personal and corporate security. The reality is that there is a real need for specific rules (or at least “tips”) regarding how employees present personal data about themselves on social media.

Social media content is highly susceptible to cybercriminals

Social media usage exposes company networks to hacks, viruses and privacy breaches. How? Social media encourages people to share personal information or Personally Identifiable Information (PII). Even the most cautious and well-meaning employee can give away information they should not or accidentally disclose sensitive company information. With this data, cyber criminals who use social engineering techniques can more effectively exploit the gullibility and misplaced trust of many social media users – having serious consequences for those users and their employers’ networks.

All it takes is one mistake. According to the latest EY Global Information Security Survey 59% of organizations had a “material or significant incident” in the past 12 months. Research also found that 21% of organizations have been infiltrated by malware via Facebook and 13% report that their organization has been infiltrated by malware via YouTube. So, what can be done to reduce the risk and ensure your employees and your brand are protected?

The Social Media Policy: What you can do to safeguard against potential attacks

The first step should be to implement a detailed and effective social media policy. While 80% of businesses report having a social media policy in place, the reality is the majority of policies (58%) could be described as general in nature – only 28% have a detailed and thorough policy. So, what additional guidance should your social media policy include? Be focused on data exposure as much as reputation. Here are just a few examples of some rules to publish to get started:

  1. Don’t accidentally describe your tech stack: If you are a technical person, like an engineer, you may want to post your technical proficiencies online. However, combined with your job title, you could end up describing the technical infrastructure of your company, which, of course, may give information to a hacker or social engineer that they need to attack the company. So, what might seem like a clear description of your current employment and career path, in today’s world, you are only revealing information that won’t actually help you but might harm you if it falls into the wrong hands.
  2. Don’t post your resume online: Yes, your LinkedIn page is a resume…but it isn’t. Resumes typically contain personal contact information that can be protected by LinkedIn’s UI structure. Remember that resumes are artifacts from old one-to-one communications between job seeker and employer. In today’s world, you are only revealing information that won’t necessarily help you, and but might actually harm you if it falls into the wrong hands.
  3. Pay attention when providing personal information online: In general, we all should be wary of giving out information that helps make us personally identifiable. For example, middle name, birth place, marriage status, check-in and sharing current location status. Each of these bits of information are innocent in themselves, but used in combination with other information, social engineers are equipped with more tools to attack you or leverage your personal data to get access into sensitive parts of your company.
  4. Help employees spot suspicious activity: While employees can be your weakest link when it comes to potential cybersecurity risks, they can also be your greatest asset in protecting your company. Educating and teaching employees on how to spot and identify suspicious activity such as dubious links or downloads will also go a long way in reducing potential attacks and malware intrusion in your computer systems.

For any businesses, social media platforms can be a gateway to reaching larger audiences. However, they have also gained the attention of cyber-criminals who are more than willing to use them against you. Considering the average data breach costs companies in the U.S. $7.91 million, protecting company, customer, partner, and employee data cannot be understated. Businesses with a holistic social media policy in place will be in a better position to protect both their employees and organization against potential attacks.

An ocean of data…and of ears

How much data is produced every day? A quick Google search will tell you the current estimate stands at 2.5 quintillion bytes. For those of us that don’t know the difference between our zettabytes and yottabytes, that’s 2.5 followed by a staggering 18 zeros! Basically, the simple answer is a lot. A lot of data is produced and collected every day – and it is growing exponentially.

It might be hard to believe but the vast majority of the world’s data has been created in the last few years. Fueled by the internet of things and the perpetual growth of connected devices and sensors, data continues to grow at an ever-increasing rate as more of our world becomes digitized and ‘datafied’. In fact, IDC predicts the world’s data will grow to 175 zettabytes by 2025. It’s mind-boggling to think that humans are generating this, particularly when looked at in the context of one day. Or is it?

Data captured and stored daily includes anything and everything from photos uploaded to social media from your latest vacation, to every time you shout at your Google Home or Amazon Echo to turn on the radio or add to the shopping list, even information gathered by the Curiosity rover currently exploring Mars. Every digital interaction you have is captured. Every time you buy something with your contactless debit card? Every time you stream a song, movie or podcast? It’s all data. When you walk down the street or go for a drive, if you’ve a digital device, whether is your smartphone, smartwatch, or both – more data.

The majority of us are aware, possibly apathetic, that this data is collected by companies – but what might be more pernicious is the number of listeners out there and the level of granular engagement that is tracked. From device usage to Facebook likes, Twitches, online comments, even viewing-but-skipping-over a photograph in your feed, whether you swipe left or right on Tinder, filters you apply on selfies – this is all captured and stored. If you have a Kindle, Amazon knows not only how often you change a page but also whether you tap or swipe the screen to do so. When it comes to Netflix, yes, they know what you have watched but they also capture what you search for, how far you’ve gotten through a movie and more. In other words, big data captures the most mundane and intimate moments of people’s lives.

It’s not overly surprising that companies want to harvest as much about us as possible because – well, why wouldn’t they? The personal information users give away for free is transformed into a precious commodity. The more data produced, the more information they have to monetize, whether it’s to help them target advertisements at us, track high-traffic areas in stores, show us more dog videos to keep us on their site longer, or even sell to third parties. For the companies, there’s no downside to limitless data collection.

Data management: Data protection is weak

The nature of technology evolution is that we moved from ephemeral management of data to permanent management of data. The driver of that is functionality. On the one hand, the economics of the situation make it so that there is very little cost to storing massive amounts of data. However, what of the security of that data – the personal, the mundane, the intimate day-to-day details of our lives that we in some cases unwillingly impart?

Many express concerns about Google, Facebook and Amazon having too much influence. Others believe it matters not what information is collected but what inferences and predictions are made based upon it. How companies can use it to exert influence like whether someone should maintain their health care benefits, or be released on bail – or even whether governments could influence the electoral – Cambridge Analytica, I hear you shout. However, while these are valid concerns, what should be more troubling is the prospect of said personal data falling into the wrong hands.

Security breaches have become all too common. In 2019, cyber-attacks were considered among the top five risks to global stability. Yahoo holds the record for the largest data breach of all time with 3 billion compromised accounts. Other recent notable breaches include First American Financial Corp. who had 885 million records exposed online including bank transactions, social security numbers and more; and Facebook saw 540 million user records exposed on the Amazon cloud server. However, they are certainly not alone sitting atop a long list of breaches. Moreover, while it is certainly easier to point the finger in the direction of hackers, well-known brands including Microsoft, Estee Lauder and MGM Resorts have accidentally exposed data online – visible and unprotected for any and all to claim.

COVID-19 has only compounded the issue, providing perfect conditions for cyberattacks and data breaches. By the end of Q2, 2020 it was said to be the “worst year on record” in terms of total records exposed. By October, the number of records breached had grown to a mind-boggling 36 billion.

Brands and companies – mostly – do not have bad intentions. They are guilty of greed perhaps, but these breach examples highlight how ill-prepared the industry is in protecting harvested data. The volume collected along with often lack-luster security provides easy pickings for exploitation. In the wrong hands, our seemingly mundane data can be combined with other data streams to provide ammunition to conduct an effective social engineering campaign. For example, there is a lot of information that can be “triangulated” about you that may not be represented by explicit data. Even just by watching when and how you behave on the web, social engineers can determine who your friends and associates are. Think that doesn’t mean much? That information is a key ingredient to many kinds of fraud and impersonations.

One could postulate that the progress of social engineers should not be thought of merely as an impressive technological advancement in cybercrime. Rather these criminals have peripherally benefitted from every other industry’s investment in data harvesting.

Data management: Rethinking data exposure

We give up more data than we’ll ever know. While it would be nearly impossible, if not unrealistic, to shut down this type of collection completely, we need to rethink how much we unwittingly disclose to help reduce the risk of falling foul to cybercrime.

Cybercrime awareness is no longer enough to reduce risk

People’s perceptions have changed. Not so long ago we thought nothing of kids playing outside all day alone, unchaperoned visits to a friend’s house, walking to school alone – the list goes on. But as times have changed, we have become much more vigilant about personal safety. The same can be said for the online world. The majority of us are well-aware of cybercrime and are generally on our guard for suspicious emails and websites. Yet despite this everyday vigilance, social engineers find ways to take advantage of our online behavior.

Cybercrime: We are already suspicious

When it comes to business IT security, company leaders generally want to establish a strong cybersecurity culture within their organizations. It’s a very natural thing to do. Human resources department training typically focuses on awareness and highlights typical mistakes that open the doors to a business’ systems and data. It shines a spotlight on what it means to be aware. But conducting security awareness training is not enough to reduce risk completely. Why? The truth is that most people are already “cyber aware.” We have all already formed an opinion on cybersecurity, and whom we trust.

Just think about it. How often do you hear a knock on the door these days, except from an unexpected visitor? A generation ago, a ringing doorbell was nearly cause for celebration. Everyone in the house leaped into action in near perfect unison. But people’s attitudes have changed. We are now not just suspicious, but actually distrustful, of people knocking on our door. We are conscious that not everyone who calls to the door nowadays is legit. It’s born out of the fact that we are aware of the many door-to-door scams or have been a victim of a cold caller ourselves. Besides, due to smartphones, we already know in advance if someone is dropping by – anyone else is considered an uninvited caller. In this way, the escalation of increasingly invasive marketing and social networking manipulation, coupled with technology that makes us easier to track and easier to target, has driven a culture-wide sense of security awareness.

The same can be said for cybersecurity. Nearly everyone is aware of the classic Nigerian 401 scam. In return for a few thousand dollars, email recipients are guaranteed several million in return. Word spread already years ago that this, and many others like it, was a scam; and people now ignore such basic scams out of habit. Like the bogus salesmen calling to the door, we already have a heightened sense of awareness, causing us to be more cautious.

Cybersecurity training: Awareness alone doesn’t solve the problem

There is no question that awareness of cybersecurity is high now and has been for a couple of years – and that’s a good thing. The problem is that while cyber security training within an organization is well intentioned, it is solely invested in creating awareness. At this point, however, we are way past awareness. People are already suspicious of bogus email, SMS messages and calls.

The real focus should be on personal attack surface, e.g. the aforementioned data that makes us easier to track and to target. Attention needs to be given to the significance of personal information, the sharing of it and how to defend it. While we are “aware” cybercrime exists, many of us may not fully understand the implications of actions that open the door to cybercrime. This is partially why social engineering and other large-scale data breaches are often so successful – and you only need to look at the stats.

A 2017 Tenable survey found that nearly all participants were aware of security breaches. What the survey also revealed was that many admitted to not taking some degree of precaution to protect their personal data and have not changed their security habits in the face of a public threat. Not surprisingly, another study from Stanford University and security firm Tessian revealed that nine in ten (88%) data breach incidents are caused by employees’ mistakes – and costly ones at that. In 2020 alone, data breaches cost businesses an average of $3.86 million.

So, what, in light of this, are the best steps to start mitigating risk?

Reduce Employee Burden: Recognition of a person’s attackable surface

When it comes to reducing risk through employee training, businesses need to recognize that many people fall into one of two categories:

  1. There are those who are very concerned about personal data security. This cohort want to keep their data safe and do not want anyone “messing” with their personal information. They are already very much engaged with cybersecurity – they are not the problem.
  2. Then there are those who are the reverse. They are not interested in cyber security. They are aware but they don’t feel at risk, and as such are not willing to spend effort on it.

Trying to “convert” the second group of employees to become champions of cyber hygiene or cybersecurity can be, for a want of a better phrase, a waste of time. Until you can put cybersecurity into personal terms for each person, it is nearly impossible to change entrenched habits and opinions.

However, if you can pinpoint which extra-professional avenues of attack are most likely for an individual’s data profile, you may be able to make progress against this skepticism. It’s about recognition of a person’s attackable surface. Concern for one’s own personal safety will always trump concerns for company safety. Or, put in analog terms, you don’t have to convince suspicious people not to answer the phone; you need to convince them not to publish their phone number in the first place. The smarter everyone is about his or her personal data, the more secure the company will be.

Security awareness training is a common corporate exercise – but is no longer enough to reduce risk. By empowering your employees to safeguard their own digital footprints – along with company data – you can start to develop really formidable foes to cybercrime.

Are we thinking about Surveillance Capitalism the right way?

I recently purchased a greenhouse from a well-known catalogue retailer – now I’m swamped with Google and Facebook ads for greenhouse accessories and all manner of gardening paraphernalia. Ever wonder why this happens? The answer is that our data is systematically captured and then used to market to us, in a broad-scale set of processes known collectively as surveillance capitalism – a set of processes that are both pervasive and here to stay. While many of us dismiss the bombardment of ads as trivial, there are those who would argue that we need to be more au fait about this use of our data. While many people debate the intentions of those who conduct and profit from surveillance capitalism, the real concerns may be not simply the amassing of an incredible volume of personal data and its unprecedented synthesis; but moreover, the normalization of the surveillance techniques themselves that can fall into anyone’s hands.

What is surveillance capitalism?

The term surveillance capitalism was coined in 2014 by Shoshana Zuboff – a Harvard Business School Professor. In a book of the same name by Zuboff, she imparts that surveillance capitalism is an economic system centered around the commodification of personal data with the core purpose of profit-making. She states that surveillance capitalism claims our private digital experience as its source of free raw material and translates that raw material into behavioral data. In layman’s terms, surveillance capitalism outlines how commercial corporations – such as Google and Facebook – use data harvested from us to sell advertising, goods, and services. If anything, surveillance capitalism could be described as the business model of the internet.

Big Brother is watching, and we appear to be okay with it

Google pioneered surveillance capitalism – they were the first company to tap into this new form of profit-making. Now, it dominates the market. Tech companies, data brokers and other players continuously capture as much user data as possible not only to predict our behavior but also to influence and modify it so that it can be further used for commercial purposes. With so much to gain from digital data, surveillance capitalism is a trend that has spread far beyond big tech companies. Every bank, insurance company, supermarket, mobile phone operator, etc., now has its own surveillance capitalism strategy in place. Zuboff believes that this surveillance by private firms is a crisis as serious as climate change. She argues that it is a visible power grab that wields enormous economic and political influence. Should we really be more concerned about this state of affairs?

Many of us know and are aware that our data is being taken without our knowledge. We know big companies use data to manipulate us into becoming more predictable and more reliable consumers. As consumers we recognize that privacy concerns must be balanced against other societal goods. Some might say that what they are doing is really just marketing that has been adapted and updated for the digital era.

Many digital companies have been upfront about the trade-offs involved in using their products. Even Zuboff herself notes, “Privacy, they said, was the price one must pay for the abundant rewards of information, connection, and other digital goods when, where, and how you want them.”

It is interesting how the public view of privacy can quickly change based on our perception of who is collecting information and why. Generally, when it appears that we are getting back some perceived economic value, we have a mixed response to surveillance. But when it comes to government surveillance, the public broadly disapproves of invasions of privacy – even though the government utilizes the same core technology and collects the same sorts of data as the private sector. Events like the Cambridge Analytica scandal and Edward Snowden’s historic leak of US surveillance efforts highlighted the risk of political manipulation through data exploitation and reinforced public concerns around government surveillance and inference, weakening public trust.

The real security risk of surveillance capitalism

The morality and legality of commercial and governmental surveillance is often in the news. Less discussed, however, are the increased security risks the surveillance capitalism model creates for companies, governments, and individuals. Commercial and government data troves are, simply put, targets for social engineers. And the wealth of data underpinning surveillance capitalism is not just itself susceptible to attacks: it enables more effective social engineering crimes when accessed, in large part by adopting the same targeting techniques used by cutting-edge marketeers.

Data captured via surveillance capitalism can include details pertaining to finances, personal interests, consumption patterns, medical history, career path – in short, the raw material needed to carry out crimes like identity theft, business email compromise and even extortion and blackmail. It helps threat actors reach users across the web with ease and little oversight, since so much of the synthesis is automated. The bottom line is surveillance capitalism makes it relatively easy for bad guys to get their hands on rich data sets of highly personal information. It provides them with a substantial search facility to find and profile their next target and victim.

Data is not necessarily dangerous by itself. We all leave data trails as we live our digital life. Unconnected bits of data in an ocean of similar data don’t provide much of a foothold to cyber criminals. But surveillance capitalism has created an incentive to be much smarter about the synthesis of data. Now companies (and governments) are pulling all those data trails together to create a fuller picture of ‘you.’ Suddenly, everything is in one place. It is the concentration and rationalization of the data that now provides bad actors an easy way to steal identities and worse.

And the risk doesn’t end there. The science and techniques for surveillance, tracking and synthesis are being constantly improved. These same techniques can easily be weaponized if they fall into the wrong hands. So, whether or not a commercial enterprise has the intent to do harm or manipulate you may miss the larger point. Social engineers are like bees to honey for the data and methods of surveillance capitalism. The real concern is whether the many “well-intentioned” companies now storing gobs of sensitive information can keep your personal data secure.

Surveillance capitalism: The bigger picture

There is no denying that we’re fundamentally willing to exchange some measure of privacy for convenience. We also know that steps, albeit baby ones, have and continue to be taken around privacy and the right to be forgotten. But we also need to acknowledge the bigger issue of surveillance capitalism: it is not immune to surveillance itself and the personal data that it reaps may put us all in danger.

How much control have we given up just to enjoy the digital life?

We all enjoy life in the digital age and the Internet provides us connectivity, efficiency and fun. By submitting some of our personal data into online interfaces, we enjoy significant benefits in the form of services tailored to our needs; from banking to work, ecommerce, transport, dating, social media and everything in between. But, by using our personal information, and sometimes posting it in the public domain, we have created a problem. Who owns this personal data once it leaves your keyboard? And if it is misused, who is the negligent party? It might be you.

A day in the life of data: Just how much information do you give away?

Before the development of computer databases, we had certain expectations about privacy and accepted a certain level of public disclosure of personal information. And it seems this statement still rings true. Americans say they care deeply about protecting their data. Pew Research found that being in control of who can get information about us is “very important” to 74% of Americans. However, when it comes to online, a lot of people do not consider data privacy as an important issue. The irony!

With the advent of social media and messaging platforms we offer information about our personal life freely and voluntarily on a daily basis – and we rarely realize or question it. We regularly post personal (and sometimes compromising) pictures. We share our current location (and indicate where we are not!). We share our relationship status, where we went to school, where we live, work history, birth dates, phone numbers – the list goes on.

And we don’t even stop to think about it. We are too busy reaping the benefits.

“In general, there has never been so much personal information about individuals as readily accessible as there is today with the Internet,” says Kevin Werbach, professor of legal studies and business ethics at Wharton. “However, what most of us fail to recognize is that once content is posted online, it can be difficult to maintain total control over where it is eventually used, shared, or modified.”

Personal or private – data is open to misuse

Many consumers are unaware how their data is used or by whom. They operate with an assumption of trust. But data is regularly leveraged in ways the consumer never imagined. The data a user scatters can be harvested and analyzed to reveal a wide variety of personal attributes that, while seemingly innocuous by themselves, can add up to form a skeleton key that social engineers can use to unlock real personal assets or corporate secrets. Shopping habits, political affiliation, relationship status etc., can all be used as steps in the ladder of a cybercrime.

Adding a sad face to a post about stray dogs, for example, can reveal what charities you might support. “You may not say much about your salary, but your ‘likes’ on brands or restaurants say a lot. Your daily routines and whereabouts can be deduced from your posts – especially if they’re geo-tagged,” says Maria Fasli, Director of the Institute for Analytics and Data Science, University of Essex.

And when it comes to email and messaging services, most of us blindly accept that this information is private. But privacy and the internet don’t go hand in hand. Just who, other than the intended recipient, will receive or have access to the information you provided? Will it be shared with other parties? Is it at risk of being used in ways you did not consent to?

Anita L. Allen, professor of law and philosophy at the University of Pennsylvania and a leading expert on privacy issues, says the core questions raised by misuse of the Internet are not new. “It goes way back to the general problem that people will use personal information that they can collect through surreptitious or open means to advance their interest at our expense. What is new is the ease with which information can be collected and shared, and the ease with which it can be maintained for indefinite periods of time.” So, if we know our online data, both private or professional, can be misused, who is the negligent party? Are you to blame? The more fundamental question is not whether you own your personal data. The real question is whether or not you can control your personal data once it’s out there.

Who owns your personal data and who controls your personal data?

There are definitely blurred lines when it comes to data ownership – and negligence. If you post your social security number online, it’s pretty clear that if something bad happens, you are the negligent party. But when it comes to other personal data shared or communicated, it’s not so black and white.

Way back in the 2006, Kevin Werbach, who already was concerned about data ownership when using third parties, stated, “There’s a difference between putting information on a purely public site, like your own website that’s accessible to anyone in the world, and putting something on a site like Facebook, which is a controlled, private site available only to its members,” Werbach notes. “The question of who owns the information on these sites is a very interesting one. Most have policies saying they have ownership of anything posted there, but clearly that doesn’t give them leeway to do anything they want with that information. And they have privacy policies that impose limits on how they can use that data. But there’s no simple answer as to whether the information belongs to me or to the site.” And that was more than a decade ago.

Personal Data Security: How can we better protect ourselves?

In the early days of eCommerce, it was common for some people to have misgivings about entering their credit card into a website. What has taken a bit more time to emerge, however, is awareness of the Internet’s increasing threat to personal privacy.

Today, the technologies behind websites that collect data have become very sophisticated. But this is a little like when cars first made an appearance. People stepped into these hulking, loud and very fast fun machines and there was absence of speed limits, seatbelts, and not even a thought of an air bag. It took many tragedies to change laws and promote the development of safety technologies to keep us safe. When it comes to the Internet, we are basically speeding down the highway, standing in the bed of a pick-up truck. It has been fun, but now is the time to start thinking about the parameters that will keep us safe. We are in need of digital seat belts and air bags to help minimize risk and misuse of our personal data.

Social engineering in the workplace

Everyone is familiar with the case in which the proverbial “little old lady” is duped out of her life savings by a villain contacting her through the phone or email. The “Nigerian Scam” or “Advance-fee Scam” is once such classic scam you may know. The victim is offered a large sum of money on the condition that they help the scammer transfer money out of their country.  

The problem is that just knowing about these classic scenarios gives most people a false sense of security. The thought is, “It would never happen to me!” The first problem with this is that there are many types of these sorts of social engineering attacks that may not be so easy to recognize. The second problem is that most think this only happens at home.

In this article we will refresh our understanding of social engineering. We will review the currently known shapes and sizes of such attacks with a special focus on how they are used on employees in the workplace.

Social engineering: A review

Social engineering is a term that encompasses a broad-spectrum of notorious and malicious activities. The common, defining attribute is the ability to exploit the one weakness every person and organization has: human psychology. Instead of relying on programming and code, social engineering attackers use phone calls, e-mails and other methods of communication as their main weapon. They trick victims into willingly handing over either personal information, or an organization’s proprietary secrets and sensitive data.

Let’s focus on the seven most common social engineering attacks.

1.     Phishing

Phishing is one of the most common techniques. In most cases phishing uses fake forms and websites to steal vulnerable users’ personal data and login credentials. A phishing attempt commonly tries to accomplish one of three things:

  • Obtain sensitive and personal information such as names, date of birth, addresses, debit or credit card number, and Social Security Numbers.
  • Redirect users to malicious websites by creating misleading and shortened links and hosting a phishing landing page.
  • Incorporate fear, threats, and exploit a sense of urgency to manipulate the users into responding quickly without thinking rationally.
2.     Pretexting

As the name implies, in this social engineering attack, the fraudsters focus on creating a fabricated scenario or a good “pretext.” In a basic attack, the scammer typically claims they need certain information from you to confirm your identity. Once obtained, this information becomes the key to stealing your more personal data and/or to stage secondary attacks such as full identity theft.

In advanced pretexting, the target may be corporate. The key piece of information obtained may help them either exploit or abuse a company’s physical or digital weakness. For example, a cyber-fraudster may impersonate a third-party IT auditor and convince the targeted organization’s security team to grant them entrance into a secure building.

Pretexting fraudsters often masquerade as employees, such as HR or finance personnel. Such disguises help them access and target C-level executives. Verizon reported similar findings in its DBIR in 2019.

3.     Baiting

Baiting is somewhat similar phishing attack but is distinguished by the fraudster’s promise to giveaway an item or prize. Often the bait may be as simple as free movies or music downloads but will require the victim to hand over login credentials.

That’s not to say that baiting is strictly an online phenomenon. Baiters will use physical media when required. In July 2018, KrebsOnSecurity experienced and reported a baiting attack campaign that was targeting local and state-level government agencies within the United States. The attackers sent out envelopes that were Chinese postmarked and contained a compact disk (CD) along with a confusing letter. The idea was to exploit victims’ curiosity and have them use the CD containing malware that would infect their computer system.

4.     Quid pro quo

A quid pro quo attack is similar to baiting but whereas baiting promises goods, quid pro quo promises services. As an example, in recent years fraudsters impersonated the United States Social Security Administration. They contacted the targets, informed them there was an error in the system, and then claimed they needed the victims to confirm their Social Security Numbers. The ultimate goal was identity fraud using these credentials.

5.     Tailgating

Tailgating (also known as piggybacking) involves someone without any appropriate authentication following authorized personnel into a restricted area. Often the attacker may impersonate a delivery person and wait outside the target destination. When the unsuspecting employee gains access and opens the door to get in, the attacker will ask them to hold the door for him as well. This type of social engineering attack mostly targets mid-size enterprises as most large companies use keycards for building access.

6.     Watering hole

Just as animal predators wait by their prey’s favorite watering hole, cybercriminals target websites that may be popular with a target demographic in order to attack such visitors. If, for example, someone wanted to target financial services professionals, they might inject a popular financial site with malicious code. Merely visiting the site would compromise the website visitors’ browsers with code that could monitor the activities or even reach deeper into the system and control computer microphones and cameras.

7.     Vishing

Sometimes known as Voice Phishing, Vishing is a type of attack when a fraudster uses advanced IVR (interactive voice response) software on a standard telephone to entice you into repeating your confidential information on a recorded line. Vishing is not only about requesting your data; it crops your voice to over-come any voice-activated defenses that you may have access to within your company or for any services.

A common attacking technique used along with IVR is to prompt a victim to provide passwords and PINs. Each time the victim tries to enter a password or PIN, it will fail and notify the user that it is an incorrect attempt. This will cause the employee to panic and try several personal passwords. Hackers will harvest and exploit PINs and passwords later.

Ways to Recognize a Social Engineering Attack

A social engineering “ask” is often recognizable as one of the following:

Someone asking for assistance

Social engineers are good at using language that instills fear and a sense of urgency in you. The idea will be to rush you into performing an action with no time to think rationally. For example, someone who is urging you to carry out a wire transfer might be a scammer or hacker. Stop, think, and ensure that you will be conducting a legitimate transaction.

Asking for donations

Cyber fraudsters like to exploit your emotions and generosity by asking for donations for a charitable cause over the phone or through emails. They will also give you instructions on how you can send your donation to the hacker’s account. These social engineers may first research social media to learn the types of causes you support to better find a leveraging point.

Asking for information verification

Another notorious tactic that social engineers use is to present a problem that you can solve only by verifying your information. Often the problem requires the victim to fill in an online form asking for your personal information. The messages and form may look legitimate with all the correct branding and logos, but the moment you enter your information, the information immediately goes to social engineers.

Prevention from social engineering

There are five primary ways you can prevent yourself from falling for a social engineering attack:

Know your crown jewels

Learn the specific pieces of information, personal or corporate, that might be valuable to a social engineer or a hacker. Think of this information as the crown jewels. Identifying sensitive information allows you to set up walls to protect it.

In any corporate environment, the specific ‘crown jewels” may be different depending on department or person. Legal, IT and Finance may all have specific areas or sensitive data that others in the company may not have access to or even know about. This means social engineering protection applies to everyone.

Verify identities

Email hacking is a common threat that either imitates or takes control of legitimate email accounts. For example, if there is an unexpected request to take action online, ensure that the person you are dealing with is legitimate by calling that person and confirming that they have sent you the email message in question.

Slow down

Social engineers will go to the extreme lengths to instill panic, fear, and a sense of urgency in you. You must never let anyone rush you or prevent you from taking the time to consider carefully. See any effort to push you to take action quickly as a potential red flag.

Verify before your click

If you see a shortened link such as bit.ly link, etc., be wary. Such links are often used as carriers of malicious URLs or viruses. To verify if the link is legit, check it using a link expander. Search Google for “link expander” to see many resources that are easy to use.

Education

The most crucial and effective preventive measure is subject matter knowledge. Continue to educate yourself on current malicious tactics – they are always changing. If you are a business owner, educate your employees on social engineering threats. The health of your business may depend on it.