Author:
Kenneth Hofsommer, CPA Partner Sax LLP who has partnered with Safari Solutions Did you know that most cyber security breaches are caused by humans. Humans make mistakes and humans can be tricked and manipulated by professional criminals and amateurs alike. Of course the errors are most often unintentional actions taken or lack of action by employees and owners. You might have read that Uber got hacked. For users, you might not need to worry about your personal data being stolen. Uber has reported that they haven’t seen any evidence of user data being compromised. So does this mean Uber caught the hack in time? Or that the hacker wasn’t after user data? Uber reported they still aren’t sure of the hacker’s goals. But regardless of the hacker’s goal, the situation proved to be a wake-up call for Uber—and every company and individual who uses the internet. The hacker, confirmed to be a teenage member of the Brazilian hacking group Lapsus$, didn’t “break into” Uber’s internal systems using high-tech software or super-specialized knowledge like hackers in movies. Instead, they used a social engineering attack—a common strategy hackers use to gain access to sensitive data like passwords and login credentials. What is a Social Engineering Attack?A social engineering attack, also known as a social engineering campaign, is a hacking strategy that involves manipulating people into sharing confidential information. Often, this is achieved by posing as a trustworthy figure like a longtime vendor or a colleague. In doing so, the hacker builds familiarity with their mark, causing the mark to let down their guard and voluntarily share information. With the Uber hack, we know the hacker targeted Uber employees through a social engineering campaign. Allegedly, it was an Uber contractor who provided the information necessary to access the VPN (virtual private network) that made it possible to access Uber’s internal programs and systems. They reached multiple code repositories and accessed the admin credentials for Thycotic, the Privileged Access Management (PAM) system Uber uses. From there, they were able to access Uber’s internal Slack, Google Drive, Amazon Web Services, and other tools used exclusively by Uber employees. If you’ve encountered a phishing email in your inbox, you’ve encountered a social engineering attack. Phishing emails typically mimic emails from senders like your bank, a pharmacy, or even a government agency like the IRS and ask for confidential, personally identifying information like your online banking password or your social security number. They often include links to fake login pages that look nearly identical to the real thing. Ransomware, Data Poisoning, Phishing and Spear PhishingSocial engineering attacks come in a few different forms. They include: Phishing. Phishing attacks most often involve posing as a reputable company or individual and asking users to provide information like their login, password, or credit card information. Sometimes, the hacker uses this information themselves and in other cases, the acquired information is then sold on the dark web. Spear phishing. Spear phishing is the same strategy as phishing, but instead of a fraudulent email being sent to hundreds or even thousands of users, it’s sent to a specific individual or group of people in an effort to gain their sensitive information. Ransomware. Ransomware is software that blocks access to a specific program or network, locking users out until they pay the hacker. Essentially, ransomware holds access “for ransom.” Data poisoning. Data poisoning is a bit different in that its goal is to change a dataset. If your company uses AI or machine learning, you could be at risk for data poisoning. With data poisoning, the hacker injects samples of their own choosing into the machine training data, warping the machine’s understanding of that data, and causing it to misclassify certain test samples. What Can Happen If My Company is Hacked?If a hacker gains access to your company’s internal systems, sensitive data like customer and employee information can be stolen. Depending on what the hacker manages to access, actual money can be stolen and/or you can lose access to your accounts. You might be pushed to pay significant ransom fees to have your accounts returned to you—or to keep the hacker from broadcasting their stunt, destroying your company’s reputation with its clients. The costs of being hacked go beyond this. They also include:
Handling (and Preventing!) HacksThe easiest way to protect yourself from hacking is to take preventative measures against it. To prevent malware and ransomware attacks, invest in a firewall that blocks threats before they can reach your team. Additionally, depending on which tools you use, you might be able to migrate them to the cloud and take advantage of the security measures your cloud hosting provider uses. This also ensures your tools are updated regularly, which typically means improved security measures. Your industry might require you to adhere to certain cybersecurity regulations. Review these regulations regularly and when necessary, work with your IT team to ensure that you’re up to date and in compliance. These are just part of a cybersecurity strategy, though. The other half is training your team to recognize social engineering attacks, because these slyly slip past firewalls and reach unsuspecting users. Host regular cybersecurity training and make good security habits part of your company culture. This is especially important if you have remote workers, as you might need to make adjustments to your network to ensure they’re as protected as the workers in your office. During your security training sessions, cover basic security measures like the importance of a strong password and the importance of changing your password regularly. Other important topics to cover include knowing how to spot a phishing email and recognizing which kinds of information a legitimate vendor might ask for versus the information they would never ask for. You should also conduct regular network security assessments to catch any potential weak spots or software that needs to be updated. Finally, there’s the component of ensuring that if you are hacked, you can respond promptly and minimize the damage. Purchase cyber liability insurance to cover any losses you incur as the result of a hack. Just like every other kind of insurance, you never want to be in a situation where you need to use it…but in the event you are, you’ll be so glad you have it. Kenneth Hofsommer, CPA is a partner at Sax LLP which has partnered with Safari Solutions to create S2 Technology Solutions, LLP. Any questions please contact him at [email protected] or 973-472-6250. S2 Technology Solutions, focus is a big-picture, goal-oriented approach to client service
0 Comments
Leave a Reply. |
Guest Blog
Archives
July 2024
Categories |