The Trojan horse is you
Cybercriminals are increasingly using social engineering to get workers to open the door to their employers’ secure data.
You’re going to have to reprogram yourself.
There has been a change in the shadowy world of cybercrime that demands more out of the end users of computers – at home and in the office, cybersecurity experts say.
Hacking into data troves at companies via flawed software is becoming less common as security programs have made it ever more difficult. Now the weak link for corporations, governments and individuals is … you.
“We, the operators, continue to be the biggest vulnerability,” said retired U.S. Marine Corps Lt. Gen. Robert Schmidle Jr., who took part in a panel discussion on cybersecurity Sept. 6 at Metropolitan State University of Denver during the Inauguration celebration honoring University President Janine Davidson, Ph.D. “In most cases, almost all of the risk is placed on the end user.”
In the cat-and-mouse game between hackers and security professionals, security lately has been winning out. But hackers are nothing if not persistent, and they are exploiting the human element using an upgraded version of an old hacking tool – phishing.
The difference now is that while you might have once easily dismissed a poorly worded email from a “Nigerian prince” offering you millions of dollars, you could get an official-looking email purporting to be from a large corporation with which you might have an account. Through various means, the email would request that you click on a seemingly innocuous embedded link. Once clicked on, the link would essentially open Pandora’s box, unleashing malware that would infect your computer.
This is bad enough when it’s your home computer and your credit-card information is posted for sale on the dark web, a vast network where criminal activity is common. But when someone does this at their job, they imperil the entire network connected to the single computer that has been breached.
“Many of the breaches essentially are social engineering,” said Steve Beaty, Ph.D., professor of mathematical and computer sciences at MSU Denver. “Somebody clicked on a link that infected their computer, and that infection spread very rapidly. To a certain degree, we haven’t moved the needle a bit on that aspect. People are still clicking on things they shouldn’t, even with all of their training.”
Beaty gave as an example the break-in to the Democratic National Committee server during the 2016 U.S. presidential election. Damning information was released, he said, because a cybercriminal “tricked a person into revealing their username and password.”
Much has been written about election interference since the 2016 election, and the level that could hit in November’s elections is yet to be determined. But Beaty says the bigger threat is in the loss of corporate and government secrets.
“Lots of intellectual property has been stolen,” he said. “If you look long-term, the military and the intellectual-property stuff is much more damaging to the United States than a couple of percentage points on a midterm election, in my opinion.
“We’re losing what has long been the crown jewels, which is our innovation, our technology.”
The safeguard against such losses is training and vigilance, said Jennifer Kurtz, cyber program director at Colorado-based Manufacturer’s Edge and author of the book “Hacking Wireless Access Points: Cracking, Tracking, and Signal Jacking.”
“All your staff members should be part of your security team,” said Kurtz, who was also a panelist at the Sept. 6 event on the MSU Denver campus. “Security isn’t something that should be isolated to one person or transferred over to a managed-service provider. One of my friends at Oracle uses this phrase: ‘everyone a foot soldier.’ That’s kind of what it ought to be.”
Kurtz warned against assuming your employer is protected by insurance from missteps at the user level. One simple mistake by a worker could cost a company millions of dollars to repair.
“The insurance guys are not stupid, and they’ve got their disclaimers written into the policy,” she said. “So if they do an investigation after an incident has occurred and they find negligence on the part of the company, that voids out the insurance claims.”
And you can never assume that it’s “the other person” who’s going to click on a malicious link, which could be as simple as one that says “unsubscribe.” Schmidle told of a cybersecurity expert he spoke with at a conference who had been victimized.
“I asked, ‘How could … ?’ and he said, ‘I don’t know. I was tired, I was in a hurry…,’” the general said, emphasizing how easy it is for anyone to stumble.
So the overriding message is that individuals need to be educated and careful, whether going over bank records online or doing their jobs at work. And companies should take the lead in “hardening” their workers by requiring training. The cost of one major breach can more than offset the expense of hiring expert trainers.
“The greatest threat is people just assuming that what they do doesn’t really matter, you know, whether they’re in a business environment, their work environment or in the home environment, and that they’re just one person,” Kurtz said. “Who’s going to care?
“So if you carry sloppy home habits into the workplace, you create vulnerabilities for your organization.”