Amit Klein, CTO of the security firm Trusteer, predicts that social engineering attacks against enterprises will be on the rise in 2012. The problem is that too many people disclose too much personal information on social networks, and this gives thieves the leverage they need to gain and then abuse people's trust.
Here's an updated proverb for the Information Age: "Give a man a fish and you'll feed him for a day. Teach a man to fish and you'll feed him for a lifetime. Allow a man to phish and you'll give him your identity, your bank account, your intellectual property ..."
I recently talked to Amit Klein, CTO for security company Trusteer. Klein had just published his predictions for cybercrime trends in 2012. He's in a unique position to see what's happening because his company has more than 26 million agents installed on devices in the field and they all feed into Trusteer's intelligence systems. Trusteer is scanning for malware, spyware and viruses in the wild, and the information they collect allows Klein to make his predictions with a high degree of confidence. The following is one of his observations for the year ahead:
• Personal information, disclosed on social networks, will be used in social engineering attacks against the enterprise. Fraudsters, all too aware of the valuable intelligence freely available on social networks, are starting to mine these data sources, capturing the personal details needed to successfully complete social engineering attacks. Trusteer predicts this will manifest itself over the coming year as an enterprise issue.
ROGUES GALLERY: History's infamous social engineers
Social engineering and phishing, vishing (video phishing) and smishing (SMS phishing) go hand-in-hand. Social engineering often involves pretexting, the act of creating and using an invented personal scenario (the pretext) to engage a targeted victim and get him to divulge information or perform an action. For example, the "mark" might receive an email from someone who claims to be an old high school classmate. The email has a link to an invitation to a class reunion, except that the link really goes to a website that surreptitiously drops a keystroke logger on the unsuspecting person's computer.
Criminals are finding it easier than ever to create a pretext using the unprecedented amount of personal information that people willingly publish about themselves on Facebook, LinkedIn and scores of other social sites. And even if a person doesn't post private information on social sites, there are plenty of other avenues to get personal information about him. Like it or not, information about us is everywhere: in alumni databases, in community newspapers, on club member rosters, within public records like property deeds, on corporate websites, on job boards. It's hard to be a private person today.
In the case of attacks against enterprises, every employee is a viable target, from the people in the mailroom to the ones in the corner offices. All a cyberthief needs in order to get behind the firewall to steal data or intellectual property is a single person who lets his guard down and compromises his network access. You might think a thief would prefer to victimize superusers or executives with access to the most sensitive data, but according to the Verizon 2011 Data Breach Investigations Report, 80% of the people who are scammed in this way are regular employees/end users.
If this is an upward trending attack vector for 2012, here are a few things you can do to mitigate the risk.
• Train employees to recognize and avoid phishing and other social engineering attacks. Good educational products are available from PhishMe and Wombat Security Technologies.
• Restrict the use of company email addresses for business use only. Encourage employees to use a personal email account for everything that isn't related to company business.
• Implement strict security rules to filter out spam and phishing messages. Wombat has an anti-phishing tool called PhishPatrol that specifically catches phishing and spear-phishing emails.
According to the Verizon breach investigation team, the tactic of using social engineering to find a vulnerable person isn't new, but it is experiencing a growth spurt. Maybe 2012 is the year to become a little less sociable.
Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at LMusthaler@essential-iws.com.
______________________________________________________________
About Essential Solutions Corp:
Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.