Ignorance of the principles of information security is not an excuse
Illiterate employees are dangerous for the company. They can break such firewood, that they will have to take out the trains. This is true for any industry and position and information security. This applies to the full: clicking on an attachment or an infected USB flash drive brought from home - and that’s all, a cryptorist extortionist enters the company’s network, the work is paralyzed, the IT department looks for up-to-date backups to restore disks encrypted by the virus of computers, and Findir calculates losses from downtime.
At the same time, in accordance with the well-known effect of Dunning-Kruger, illiterate employees remain full of confidence that they are doing everything right, or at least they do nothing terrible. And it is precisely this that often leads to disastrous consequences.
In fact, almost any security systems are useless if employees do not even possess the basics of information security. Such employees become the main vulnerabilities in your company's computer system.
Understanding this state of affairs perfectly, cybercriminals increasingly use the victim’s employee as their vulnerable point for their attacks. Taking advantage of a person’s illiteracy is much easier than finding a vulnerability in the corporate network. Because of the information security literacy of even one employee, the organization risks losing money, data and reputation, receiving legal claims or losing equipment.
Trend Micro experts talked about the types of attacks that employees are exposed to: device compromise, phishing, and malicious souvenirs.
Using your company’s own gadgets and laptops (Bring Your Own Device, BYOD) is a fashion trend that is especially popular among startups. It seems that such an organization of the process is the embodiment of the Win-Win principle: the company does not have to spend money on the acquisition and maintenance of the workplace, and the employee works on a laptop that he chose and set up. If he wants to work at home, he will not have to copy work files, and access to corporate systems is already set up. The cost of purchasing the device is compensated by the possibility to sleep longer or even stay at home working remotely.
From the point of view of information security, the use of one device for solving work and home tasks is a source of serious risks, especially if the employee is not too diligent in learning the basics of information security.
After a busy day you want to escape. Downloading movies and music, searching for games or pirated programs can lead to something malicious on your computer. And then, when connected to the corporate network, all company data will be under threat.
If you run into the cafe and connect to the corporate network through a public wifi to finish the report for a cup of coffee, the credentials can be intercepted and used to steal confidential information. And even a laptop or tablet can be stolen or taken away on the way from home to office. Together with the laptop will leak and the data contained therein.
Many Faces Phishing
The traditional way of organizing the workflow in the form of stationary computers partially removes the risks characteristic of BYOD, but even in this case, an insufficient level of information security can be fatal for the organization. All employees use email, which means they are potential victims of phishing - fraudulent emails disguised as letters from delivery services, contractors, technical support or management.
Using phishing, cybercriminals can force the victim to launch malicious software attached to the letter, enter their credentials to enter the network, or even make a payment using the fraudsters details instead of the real counterparty.
Of particular danger is targeted phishing (spear phishing), in which cybercriminals first collect information about the organization, its structure, employees and workflows, and then prepare letters containing real names and positions drawn up in accordance with the standards adopted by the organization. Recognizing these letters is more difficult, so the effectiveness of such mailings is much higher.
Phishing emails may not contain any malicious attachments and look completely harmless when it comes to this type of phishing, like Business Email Compromise (BEC). In this case, the fraudsters begin to correspond with one of the company’s managers on behalf of another organization and gradually convince him of the need to transfer money to his account. Despite the fantastic nature of the scenario described, in the spring of 2018, the attackers lured out 19 million euros from the Dutch division of the French film company Pathé in the spring of 2018 .
Attackers do not stand still. We will witness new forms of attacks aimed at naive users and not all of them will be distributed via the Internet. One example is the attack through a free flash drive. At partner events, presentations, conferences, and just as a gift, employees often receive flash drives with working materials. An employee who does not know the basics of information security will probably immediately insert a USB flash drive into the computer upon arrival at the office - and may get a malicious surprise. Sometimes the organizers of the event do not even know that the computer from which they were recording advertising material on a USB flash drive was infected with something.
This technique can also be used to intentionally infect the victim’s computer. In 2016, the University of Illinois conducted an experiment by scattering 300 “charged” flash drives around campus to check how many people will use them and how soon this will happen. The results of the experiment surprised the researchers: the first flash drive was connected to the computer after 6 minutes , and 48% of those who found the flash drives used, and all of them opened at least one file on it.
One of the largest examples of real attacks ( DarkVishnya), when bank security officers did not notice the hidden device connected to the network. To carry out the attack, intruders penetrated banks' offices under the guise of couriers or visitors, and then quietly connected a Bash Bunny mini-computer disguised as a USB flash drive, an inexpensive netbook or a single-board computer based on Raspberry Pi equipped with a 3G / LTE modem to the local network of the bank. The device was disguised as a setting to make it harder to detect. Then, the attackers remotely connected to their device, scanned the bank’s network for vulnerabilities, penetrated into it and stole money. As a result, several banks in Eastern Europe suffered, and the damage from the DarkVishnya attacks amounted to several tens of millions of dollars.
The impressive impact of the attack with the lost flash drives shows how lightly people are concerned with security and how important it is to train users in the correct behavior in such situations.
What to do with it?
Despite the abundance of software and hardware protection in the market, it is worthwhile to devote part of the budget to counter attacks targeting employees. We give the most important recommendations:
- Educate. All employees should understand that ignorance of the principles of information security is not an excuse, and therefore, be interested in raising their awareness on this issue. On the company's side, the costs of organizing and conducting training seminars on information security should be considered as an investment in reducing risks and preventing damage.
- to train.Theoretical knowledge is quickly replaced from the memory by more demanded information. Practice skills will help to strengthen skills in practice. With their help, you will be able to identify employees who have not learned the information and re-train them.
- Implement the “See something, say something” policy. When confronted with a cyber threat, an employee may remain silent about this until the last, fearing dismissal or trying to eliminate it on his own. Meanwhile, timely notification of the incident prevents the spread of malware throughout the corporate network. Proceeding from this, it is important to build up service regulations in such a way that the employee who reported the attack received thanks, and the information security service could fix the threat and begin to eliminate it.
Any computer system is vulnerable, and the weakest link in it, as a rule, is man. The task of each business executive is to minimize the risks in the field of information security associated with attacks on employees. In this task, training, trainings and proper organization of the processing of cyber incidents will help. Ideally, compulsory knowledge of the basics of cybersecurity should be part of corporate philosophy.