Hackers Still Going Hard After Banks – But Employees Are Now Prized Targets
A recent study shows banks getting hit by three times as many cyber attacks than other sectors, with hackers’ best successes not coming from frontal assaults, but by exploiting the human element. GDF’s founder talks about the importance of raising employee cyber awareness, and how professional penetration testing with a focus on social engineering and expert emergency incident response can help.
According to a new study released by Raytheon/Websense, summarized here in this article published in Information Week’s Dark Reading on Tuesday, June 23rd, banks still garner the most attention when it comes to cyber attacks; three times more than any other industry. The attention, however, isn’t new, and banks and other financial institutions are usually on the cutting edge when it comes to technology solutions geared to keep their networks safe. “But there is still a soft spot that technology alone still can’t quite solve,” says Joe Caruso, founder and CEO/CTO of Global Digital Forensics (GDF), a premier national provider of cyber security solutions and digital forensics services headquartered in New York City, “and that soft spot comes in the form of personnel already inside the castle.”
Social engineering is still king when it comes to infiltrating a financial or corporate network
“Social engineering comes in many forms, but spear phishing is still public enemy number one for IT security personnel, for banks and corporations alike. Spear phishing emails can be extremely personalized, and depending on the skill level, resources and diligence employed by the attacker, they can be both very convincing and quite difficult to identify as a malicious threat. Spear phishers used to rely heavily on social media bait, like faked LinkedIn or Facebook invitations and other personal notifications, but now they are evolving into other types of notifications, like that a voicemail or fax from a known vendor came in, or package delivery notifications which make complete sense by referencing individuals, projects or departments employees are familiar with. Many times the information attackers use comes from an organization’s own website, press releases and/or other announcements. They will also apply advanced tactics like spoofed headers, basically changing the From: address to match up to the identity of the person or organization they are pretending to be. The worst part is if just one individual gets “conned,” any and all organizational digital assets could quite possibly be compromised as a result,” warns Caruso.
“From the CEO to the fresh new intern, everyone is vulnerable and could be all the foothold attackers need to see whatever agenda they have through to fruition, so don’t be afraid to pick up an actual telephone and confirm an unexpected email, and if it turns out to be a hoax, report it immediately to whoever is tasked with the organization’s cyber security.”
Combating the threat revolves around testing, awareness and response
“The social engineering aspect of cyber intrusions, which is where spear phishing would fall, is something we focus on heavily when we are called in to do cyber threat assessments and comprehensive penetration testing for clients, which range from very small businesses to well-known financial institutions. The scale and scope of the tradecraft we will employ is discussed and agreed upon in advance and then we go to work,” says Caruso. “Nothing we do will be destructive, but it will definitely be enlightening. We’ll do the same things real-world attackers would do. We’ll use publicly available information and anything else we can get our hands on, online, by telephone, or even in person, and craft a spear phishing campaign. We’ll do everything from creating full blown dummy websites, to spoofing an individual or department within the organization itself. And so far, we’ve never failed to get a foot in the door. When we divulge our findings in our detailed report, it’s got a shock and awe factor that really sinks in deep. It has the powerful, double-barrel effect of exposing weak links in the organization’s cyber security posture, as well as serving as an excellent springboard to raise internal cyber-threat awareness significantly. From there we’ll tailor a remediation plan with the client. If the client chooses, we can even hold awareness seminars to get the entire organization on the same page, from what to look for and how to spot these types of threats, to what to do if a malicious threat is found. And of course we can also satisfy any cyber emergency incident response needs a client may have with our team of experienced cyber responders, strategically positioned across the country and the worldwide and available any time of the day or night, just in case.”
Every organization’s needs, desires and digital infrastructure are unique. But having veteran cyber security experts like the experienced team at Global Digital Forensics come in to professionally tailor a testing and response plan specifically geared to the individual client, can go a long way to not only preventing the initial gateway intruders can use to wreak havoc, but also substantially lessen the destructive aftermath should an attack or intrusion still manage to occur. There is no such thing as absolutely perfect protection, but the odds of being attacked and/or the consequences can be greatly affected with the right plan in place.
*Global Digital Forensics is a recognized industry leader in the fields of computer forensics, electronic discovery (eDiscovery), cyber security and emergency incident response, with years of experience assisting clients in the government, banking, healthcare, education and corporate arenas. For a free consultation with a Global Digital Forensics specialist, call 1-800-868-8189 about tailoring a plan which will meet your unique needs. Emergency responders are also standing by 24/7 to handle intrusion and data breach emergencies whenever and wherever they arise. Time is critical if a cyber incident has occurred, so don’t hesitate to get help. For more information, visit our cyber security page.