You never really know who is on the other side of the phone until it's too late as often is the case regarding social engineering and cyber attacks. Digit News recently reported a 38% increase in cyber-attacks on a global scale over 2022. These 'gangs' are targeting 'soft targets' like Education/Research, Government and Healthcare. The article also points to the geographical targeting of these attacks due to the perceived incompetence of legitimate digital resource owners and their ability to pay.
Despite the feeling that we are facing a digital apocalypse, these tricksters still rely on old attack vectors like social engineering to get what they want. It's important to recognise that the security industry has many talent-laden companies producing digital products in all the main areas from prevention/modelling, to detection to remediation. Accordingly, locking out cybercriminals is still possible. That makes the employee the key once more to infiltration so best to never forget that security is everyone's responsibility.
A key point to remember about social engineering, it's evolved so visual trickery is often used to get what is required via automated means. Here are some key points to bear in mind everyone time you are contacted by someone inside or outside your company.
- Corporate Espionage: If an employee for example is from finance and asks for access to the production server fleet, then it this likely they do not have a legitimate reason for it. Ask them why and then quietly report it to your manager and/or security. Even if it sounds good, make sure the company's management group knows of this unusual request before it happens.
- Shared Passwords: There is still a culture in some companies of shared passwords with a blase attitude by some managers to it. Shared passwords mean shared access that is not controlled. This provides a clear attack vector for everything from corporate espionage to data theft with limited ability to follow up post-event. Even if you get repudiated as a troublemaker, report it nevertheless. One successful cyber attack or security audit that is actually effective will leave you in the clear upon the detection of this appalling practice.
- Password Management: A company's security policy is a minimum, not a target for password strength. Find out what password manager is approved for use and use it. 12 characters with a special character and a number are great. 16 characters are better by millions of years of decrypting time.
- Company Phone: If you have a company phone, ensure it's secure and if lost reported it quickly. Company information on it should be low level by the security policy. If your multi-factor authentication account e.g. MS Authenticator is accessible, it can be very valuable to a hacker group. Ensure these apps are password or face-authentication protected as a 'defence in depth' measure for the handset. Also, open WiFi networks are the preserve of lowly skilled hackers looking to get lucky, so make sure you do not log into them despite the better signal compared to mobile data in some cases.
- Calls from Unknown Callers: As a target for these pushy criminals, I can say they can act as fraudsters looking to get banking details and sell me my life's dream in a haze of well-spun nonsense. When you look past their lack of moral centre, you will find a well-designed approach designed to gather information around your every response, your gullibility and your willingness to hint at what will motivate you to a defensive posture. This is fed into an AI platform and can narrow down password creation plus more. It also proves that directly tricking you into disclosing your password is not necessary. It can be done if you talk to them for long enough. Use the first 30 seconds to establish their identity, double-check it as legitimate over the next 30 seconds and then drop (and block) the caller if not happy. Social engineering has become a pushy science that requires you as the target to respond very dispassionately, yet maintain an assertive control posture over the call.
- Phishing/Smishing attacks: Whilst some may disagree, I think the visual medium for social engineering-based attacks is on the rise when you factor in the power of AI. The trickery around email and text/sms (smishing) messages is evolving. Its base design of tricking you into clicking on malicious links, attachments, etc provides a direct attack vector to your company or phone. It's often a preamble to a larger attack on your company so double-check all emails that come into your inbox. Are they from the domain you expect e.g. firstname.lastname@example.org or one that looks like it e.g. email@example.com? If you detect a variance, report it as phishing to your security department.
As you can see, there are many things we need to be aware of when thinking of cyber security in our working lives that are based around our own work devices, but also practices that should apply to our personal ones also. Despite appearances, they are closely linked making good security practices across all a requirement for living in our digital world. We can never eliminate this risk but together can certainly reduce it to a tolerable and defendable level that allows our digital experiences to be rewarding both in the workplace and at home.
Stay tuned for more on Cloud Infrastructure in this blog along with articles on other areas of interest in the Writing and DevOps arenas. To not miss out on any updates on my availability, tips on related areas, or anything of interest to all, sign up for one of my newsletters in the footer of any page on Maolte. I look forward to us becoming pen pals!