Cyber Security – Phishing and Social Engineering  are the new threats in the cyber warfare enterprises are waging. When asked about the best way to thwart cyberattacks, most cybersecurity experts list off a complex list of cutting edge software and hardware solutions meant to keep attackers at bay. These can range from SaaS applications that use two-step authentication to firmware specifically designed to work in an untrusted environment, with secondary and tertiary remote management killswitches and remote software monitoring. While many of these impressive technologies can stop or prevent cyberattacks, the majority fail to address to the single weakest link in the chain in most organizations: the human being.

Phishing and Social Engineering and Large-Scale Cyberattacks

Although Hollywood filmmakers would have you believe that hacking takes place in exotic, remote locations, with teams of foreign agents furiously pushing out lines of code designed to gain them access to their target’s databases, the truth is usually far more mundane. An actual cyberattack may look as simple as a hacker getting the phone number for a low-level employee in accounting, impersonating an executive-level technology director and asking them to hand over their password. Attacks like these use social engineering tactics—not necessarily technological tactics—to produce results.

In a typical scenario, an employee may be instructed to send money to what appears to be a company account, but it is actually a compromised account controlled by the hacker. In an even simpler, yet more dangerous scenario, the hacker may continue impersonating executive positions, wielding their power to conduct company policy. Anything is possible once a hacker has convinced an employee that they’re talking to their boss. Yet another highly effective approach is spear phishing, where employees are tricked into opening malicious emails that appear to come from trusted sources.

The statistics show a disturbing truth: 91% of cyberattacks begin with spear phishing emails, according to Trend Micro. The process is exceedingly simple: a fake web portal is set up and the hackers scour social media for useful personal information. They can write about friends, relatives, pet’s names and much more to act convincingly like the person they’re impersonating and then drop an exploit directly in the lap of an unwitting employee who quickly becomes their pawn.

Discovering Security Flaws

One of the most disturbing things about the modern enterprise-level cybersecurity field is that professional social engineers often succeed at not tipping their hand after gaining access. Usually, once they enter a system, they begin an observation and data gathering period that can last between a couple weeks to several months. In this period of time, they are nearly impossible to detect without continuous analysis or sophisticated software monitoring. When the time comes for the attack to take place, it will seem as if it came with no warning.

With remote management and increasingly inter-reliant user interfaces becoming the norm, a single compromised workstation can become the nexus of a sophisticated attack. For example, experts found that the 2015 Ukrainian power grid hack began months prior through what appeared to be a harmless Microsoft Word document, sent through email to a power station employee. The attackers observed his machine for months, eventually coding a malicious firmware update for the power station’s circuit breaker hardware and uploading it while simultaneously issues DDOS attacks on the power company’s customer support center—the results were disastrous.

Implications for Future Defenses

Cybercrime is on the rise for large-scale enterprises, according to Heimdal Security. In fact, the actions of cybercriminals have reached an estimated annual cost of over 100 billion dollars worldwide. With ingenious approaches like Ransomware being developed and implemented on a daily basis, taking a proactive enterprise-level approach to cybersecurity is more important than ever. These include:

• Consulting with security experts, especially in SaaS environments where trusted connections may be the norm.
• Reducing the number of trusted connections in network infrastructure
• Building a corporate culture that encourages communication about possible cybersecurity threats
• Educating employees on all levels about the tactics used by modern cybercriminals

The most important mitigation strategy that enterprise-level organizations need to implement is employee training. Every single individual with access to a company’s network infrastructure needs to know what to look out for; suspicious requests from trusted sources, email attachments coming from sources outside the cloud, etc. Second to that, two-step authentication and telephone verification offer ways to further mitigate risk. An multinational CEO may not like getting extra phone calls every day, verifying his or her every move within the company, but most would agree that losing a few million dollars because of an employee’s mistaken trust is far more annoying.

Each individual employee may need to sit down with a cybersecurity consultant in order to be fully briefed on the implications of their access, since low-level employees often mistakenly believe that they don’t have credentials capable of doing any real damage—which is almost always far from the truth. A determined adversary can impact enterprise-level businesses with surprising agility by manipulating corporate hierarchy to their needs. Implement a nuanced approach for using that same corporate hierarchy to address weak-link employees with access to core systems to mitigate that risk.

What measures is your enterprise taking to thwart Phishing and Social Engineering?