Think Like the Enemy: Leveraging OPSEC to Stop Social Engineering Exploits
Globally, organizations spend billions of dollars trying to prevent their networks from hackers, terrorists and even nation states. They’ve built fortresses of technologies designed to keep the bad actors out. And yet, there’s not a CISO in this world who isn’t worried that their network was compromised last night. (By the way, I’m sure there was a network that was totally compromised last night, so one of the aforementioned CISOs is having a bad day.)
Why is that? Well, it comes down to you. Yes, you, and your colleagues, your team, and heck, even your boss. Cyber attackers know that these fortresses exist, and so, they look for an easier way to get in – a weak link. Most often that weak link is people.
Cyber attackers recon publicly accessible personal information on Facebook, LinkedIn or any publicly accessible social media or database on a daily basis. They know about you. Public information and social media accounts are the easiest way for attackers to gain access to your passwords and security questions. Where did you go to High School, what’s the Mascot? What’s your Mother’s Maiden name? What’s your daughter’s birthday? (Nice picture of her eating birthday cake by the way!) It’s all there; waiting on a silver platter for an attacker to leverage for their own gains.
As an Army officer, one of the simple principles we learn very early on is Operations Security. In practice, OPSEC is about protecting information that could be pieced together for enemy exploitation and then reducing exposure of that information. This information may not mean much when disconnected from the current situation or larger operation, but when pieced together by enemies, it makes for a bad day. When an enemy can gather information from all sorts of places and piece together when that supply convoy or next operational will occur, it makes all other efforts useless.
Strip away the military jargon and this is the same way cyber attackers are compromising passwords every day. Seemingly disconnected information is pieced together until there is enough of a picture to act on.
Maintaining OPSEC in the business world is a hard problem to solve. Even in the security business, companies want to highlight the great talent they have fighting cybercrime. This talent now has a huge target on its back.
The key is this: targets must understand they are targets. From the basic system administrator to the CFO, attackers will continually engineer ways to get critical information from people they consider high value. Training targets in the organization, from the top down, to identify and stop a social engineering attacks is the best defense.
CISOs need to think like the enemy:
- Perform your own recon to find out what attackers “see” and how they target high value people.
- Build information assurance policies, cyber defenses and countermeasures that prevent exploitation of that information.
- Drive this from the top down. Everyone in the organization is partly responsible for its security. Know the weak links and hunt for activity aimed at them.
The team at Kudelski Security is here to help you get started or compliment an already mature program. Get in touch with us for a discussion more tailored to your specific needs.