Teach the children and let them lead the way.
Teach the employees and save yourself a lot of headaches.
Article by Violet Blue for Zero Day and republished in ZDNet.
Emphasis in red added by me.
Brian Wood, VP Marketing
How hackers use employees to break through security walls
Summary: Employees are prime targets for cybercrime attacks against your company. Find out the six top ways criminals gain access to your valuable data, IP, and more.
No one wants to think about the idea of their company’s customer data, infrastructure, IP or network security as the full-time target for hired-gun hackers, government spies or crime syndicates around the world.
Unfortunately, it’s true. Your most vulnerable point of attack is often the people you trust the most: your employees.
By the standards of today’s black market for thieves, your employees are in the crosshairs for some of the most serious attacks on your company. A new report from RAND Corporation “Markets for Cybercrime Tools and Stolen Data” (commissioned by Juniper Networks) explains that in addition to unpatched vulnerabilities, the human element will continue to increase as the weak point for attacks.
Updates, you can do. Vulnerabilities can be patched. But people… are people.
The majority of successful security defeats are phishing attacks, where the victim clicks a link or downloads an app or attachment that infects…anything it wants to. And a phishing attack can to a lot of damage.
One email spiked with innocuous-looking malware to a vendor cost Target an estimated 40 million credit cards and 70 million user accounts, which were hijacked and sold on the black market within days. Target’s December disaster came from a phishing attack sent to employees at an HVAC firm it did business with.
What’s worse, employee-targeted attacks, when successful, often go undetected until it’s too late according to Inside the Hacker’s Playbook.
76 percent of breached organizations needed someone else to tell them they’ve been hacked. Employee awareness could be worth more than the latest anti-malware software, and will save you millions in the race to prevent cyber theft. (Trustwave, 2013)
Each of the following describe ways hackers can access critical information from a company’s employees:
The Front Page News Attack
Right now, phishing is among the primary ways unwitting employees are used to attack your company. Phishing attacks are currently sophisticated in a few very specific ways, and RAND’s report tells us that phishing is only going to get more sophisticated as the black market for cybercrime matures.
Today’s typical phishing attack is an email disguised to look familiar, fooling the employee to click on a link or download an attachment. But the trend for cyber criminals is exactly that: popular trends, and most especially front-page news.
RAND explains the black market trend in news-item phishing, which often play on emotional events. “Different pieces of the market react differently to outside events (e.g., natural disasters, revelations to Wikileaks, or releases of new operating systems).
Front-page news items are often used in spear-phishing campaigns (e.g., “click this link to donate to victims of Haiti earthquake”) raising the number of potential victims.”
Cell carriers are training users to accept text messages with links, and that’s not good. According to RAND’s new report, the use of social networks and mobile devices will continue to be growth areas for black market cybercrime.
“The development of mobile malware for Android devices (70 percent of all mobile attacks) is likely to continue until Google, device manufacturers, and service providers work together to find a way of delivering updates and patches to users as they come out (only 12 percent of Android devices have been updated to the versions that prevent premium SMS charges being run up on the phones of unsuspecting users).”
Employees need to be warned that texts open a link up in their mobile browser, which can cause just as much harm with password-stealing malware as in your computer’s browser. Mobile browsers are subject to the same sorts of bugs, and it’s quite easy for a criminal to spoof a mobile website.
Traveling Employees: Easy Targets
Employees that travel are extremely vulnerable to attacks, and often don’t know they’ve been compromised — because they don’t know how to safeguard their devices, their network access, or what to look for as signs of compromise.
One such common attack is called the “Evil Maid Attack,” referring to when a criminal accesses the employee’s unattended computer, phone, tablet or hard drives, usually left in a hotel room.
Devices can be physically compromised in less than sixty seconds, loaded with malware that leaves no trace, can report back “home” and can spread more malware to your company upon return to the home network.
Compromised Companies We Trust
In the current trend of sophisticated attacks, your employee hasn’t clicked on a “weird looking” link at all: they clicked on a link that belonged to a large business whose server was hacked.
RAND’s report tells us about the “recent increases in the use of watering-hole attacks (where users visit popular, legitimate, but compromised websites) based on well-known exploit kits available for sale on the black market.
Last week, an EA Games server was revealed to be compromised and running a phishing operation in which unwitting visitors signed in with their login credentials as usual, not suspecting they were handing hackers access to their accounts. A similar watering hole attack was also in progress at a site with an EA Games subdomain that was taking users’ Apple ID credentials.
The Dangers of Working Remotely
Your employees are targets outside of your network, too.
Employees might use compromised wireless networks to access corporate assets, log in on someone else’s device or computer in an emergency, or put USB sticks from compromised sources in their laptops.
Logging on to work email on someone else’s device or computer can allow a hacker to sniff login credentials and passwords.
If an employee works remotely, hackers can easily “sniff” their internet traffic over unprotected Internet access (Wi-Fi or wired) if the employee doesn’t use a secure VPN to protect their Internet activities.