The e-mail from Bob Smith was very conversational:
It was great playing racquetball with you at the club Saturday. I guess we’ll need to schedule a rematch since you beat me by 22 points. I was thinking about that report you asked me for, so I’ve attached it. Again, let’s set up that rematch real soon! – Bob Smith.
There’s just one problem. While the receiver remembers the racquetball game (he won after all), he doesn’t recall asking Bob for a report. He’s wondering, too, why Bob is writing him from an e-mail address he doesn’t recognize.
These are two red flags the receiver picks up on, but he ignores them and clicks the link in the e-mail anyway.
This is just one form of social engineering—called phishing. Hackers use trust in an attempt to fool employees into opening e-mails or clicking links that could install viruses or malware onto company computers.
Here’s another scenario:
A stranger walks into an office filled with cubicles and approaches an accountant’s desk. The accountant has never seen him before, but he is well dressed, has a clip board in one hand and is wearing a fake company badge.
“I’m here to make your computer run faster,” he tells the accountant, a young woman. She brightens up, swivels her chair away from her work station and thanks the hacker as he inserts a thumb drive and uploads a virus.
Today, data security experts say, the first scenario is far likelier than the latter one—after all, it’s relatively easier to get an unsuspecting person to click on a link in a spoofed e-mail, on Twitter or on a Facebook page promising to show photos of Osama bin Laden’s mangled body.
What HR Should Know
Employees can combat such tactics—if they remain observant.
According to the Internet security awareness training firm KnowBe4, formal training can reduce an organization’s vulnerability to cybercrime substantially. It’s especially important, experts there say, because more than 60 percent of network malware infections are caused by social engineering. They say that implementing Internet security awareness training can reduce by 75 percent the probability of companies being damaged by an attack.
But let’s go back to the person who received Bob Smith’s e-mail. Did he really do anything wrong? After all, he did play at the club and he did win by 22 points, so clicking a link in an e-mail from someone he knew should have been safe, right?
What the receiver didn’t do was trust his instincts. The receiver’s racquetball score was placed on the club’s website for anyone to see. The hacker who sent the e-mail simply went to the club’s website, noted the receiver’s score, called his company, got the receiver’s e-mail address and created a fake e-mail account for the person the receiver played against. So when the receiver clicked on the link and nothing happened the receiver had no idea that he was exposing his firm to a virus. Experts say social engineering ruses like this are much more common today than having someone enter your enterprise, pretend to be from IT and infect your computer.
The folks of Bit9 know this for certain.
“In early March , a customer informed Bit9 of an advanced persistent threat (APT) attack,” Jessica Couto, director of strategic alliances for Bit9, told IT specialists at a Data Connectors Tech-Security Conference in Washington, D.C. Bit9 provides security and protection against APT attacks. The customer got an e-mail that looked like it came from a co-worker titled: 2011 Recruitment Plan. It came attached with a spreadsheet, she said. The body read: Please review the 2011 Recruitment Plan. There was no hyperlink, she said. “The e-mail did not come from a stranger. He opened the attachment, and within the spreadsheet was an embedded zero-day vulnerability” a virus, she said. That company, RSA, is the security arm of storage behemoth EMC, which provides storage and data security for more than 90 percent of Fortune 500 companies across the world. According to news reports, the breach compromised the data of more than 40 million employees worldwide.
The virus “got in … and broke into Lockheed Martin and Northrop Grumman,” Couto continued.
“RSA is a security company, so if it could happen to them it could happen to anybody.”
‘A Billion-Dollar Industry’
In the war against APT attacks and the data breaches they cause, employees are on the front line. They open e-mail (even ones that go into spam filters like the one clicked in the RSA attack). They visit news sites such as CNN and MSNBC and read The New York Times and The Washington Post. They peruse blogs—corporate and otherwise. And they visit social networking sites. All, experts say, are places where hackers can attempt social engineering attacks. Gone are the people with fake ID badges and thumb drives. Today’s charlatans don’t need sleight of hand or a winning smile.
What they need is a fake picture of a famous dead terrorist—or at least, the promise of one.
According to a recent survey sponsored by GFI Software and conducted by polling expert Opinion Matters, 40 percent of small and medium-sized businesses have experienced a security breach as a result of employees navigating to a site that hosted malware. And 55 percent of those respondents who monitor web usage said that defending against infected websites is not their main priority.
An expert at KnowBe4 said that formal training can reduce an organization’s vulnerability to cybercrime substantially. A case study of three KnowBe4 clients revealed that between 26 percent and 45 percent of employees at those companies were susceptible to phishing e-mails.
Training employees to be cautious of the e-mails they receive and the links they see on social networking sites—even the ads they might click on legitimate web pages—is the best way to combat social engineering attempts. KnowBe4 reported that employee training can reduce by 75 percent the likelihood that employees will fall victim to such attacks.
“You can only do so much with firewalls and with intrusion detection and anti-spam and anti-spyware, but as long as the bad guys make an employee click on something, all of that is for naught because that one click can be the beginning of disaster,” said Stu Sjouwerman, author of the book Cyberheist (KnowBe4, 2011); a primer for corporations looking to protect themselves from data breaches.
“Social engineering is a billion-dollar industry right now; it’s organized crime,” Sjouwerman explained, adding that hackers in Russia can make up to $150,000 a year doing this in their spare time. “And these guys are good—these are smart people.” Employees are targets. “Anyone clicking on one phishing link could do major damage.”
Behavior Is Crucial
Experts say that although websites change daily, people’s behavior remains static and the cure is to “be suspicious of everything. Trust no one. That is the new reality,” said Grady Summers, principal information security expert with Ernst & Young. “So many employees trust e-mail; they’ve got to realize in this day and age e-mail is so easily faked,” Summers said. “There are a lot of practical things we recommend. Users should think about using a different computer for accessing personal pages, like Facebook or separate their personal usage from their business usage … and keep their browser up-to-date. They can try browser sandboxing,” he said, which isolates the browser from the rest of your computer.
Changing behavior is paramount to security, experts say. Employees should have a healthy amount of skepticism before they click on something. Even hovering over a shortened link and looking at the root extension and then Googling the topic instead of clicking on a link can go a long way to ensure that employees do not expose their companies to data breaches.
“What we teach [employees] is stop, look, think,” said Katie Johnson, head of marketing and client services for the consultancy Awareity. “They should ask themselves: ‘Is this too good to be true? Is this a scam?’ You can stop this behavior,” she said.
Aliah D. Wright is an online editor/manager for SHRM.
How Can HR Help Guard Against Data Breach? SHRM Online Technology Discipline, June 2011