Third Party Hacks Can Pose Significant Threat to Businesses, Just Look at the Fortune 500
Hackers with access are bad news, no matter how you slice it
According to a recent report, employees from 221 Fortune 500 companies had credentials exposed by third party hacks, which can leave corporate digital assets highly vulnerable to costly attacks. GDF’s founder talks about how hackers can use the information gathered from a successful attack on a third party to exploit business networks, and shares some keys to significantly improving an organization’s stance against this common problem.
Almost half of the country’s most prominent companies could find themselves in a very precarious situation according to a study done by Recorded Future, as highlighted in this NBC News article published on October 29th. For a little over 9 months, Recorded Future set themselves to task to find out just how prominent the problem of exposed employee credentials really is in the corporate world, and they came up with some eye-opening numbers. They determined 221 Fortune 500 companies had employees whose credentials had been exposed, with roughly half of the financial firms, technology companies and public utilities on the list among them. Joe Caruso, founder and CEO/CTO of Global Digital Forensics (GDF), a premier national provider of cyber security solutions headquartered in New York, hopes reports like these will help draw some much needed focus to this potentially devastating problem.
“Most corporate IT security departments and personnel seem to have blinders on when it comes to hacking events that occur outside the realm of their immediate responsibility,” says Caruso, “but what happens to their employees on the outside can certainly come back to bite them if those attitudes don’t change in a hurry. Just one compromised employee who uses the same credentials for multiple sites, which is a huge problem by the way, can leave the entire business network exposed to a whole slew of potential bad guys looking to gain access to their company’s sensitive digital assets. Not only does immediate and direct access by a malicious intruder become a concern, but the ability for hackers to leverage compromised credentials and other personal information gleaned from third party sites boosts the effectiveness of their social engineering attempts, like spear phishing campaigns. Because the truth is, social engineering is all about trust, and any bit of personal information that can be used to add a personal touch to a spear phishing email exponentially increases the chances that one or more employees in an organization will open a malicious attachment which could download a RAT (Remote Access Trojan), or follow a link to a malicious site, giving the attacker exactly the access they covet that way. And let’s not forget about watering hole attacks, which is a practice commonly used by hackers to target a specific industry or company by using a legitimate and trusted third party site that has been previously compromised to push out malware directly. If cyber criminals can gain your trust with a personalized social engineering ploy, they’re starting near the finish line.”
The potential danger social engineering poses is also borne out by another report released on October 29th by the Georgia Institute of Technology, titled Emerging Cyber Threats Report 2015, where it sums up the issue well - “Humans are no longer the last line of defense against cyber attacks, but often represent an end run around security measures. Convince a user to open an attachment and dismiss a security warning, and an attacker’s job is mostly done.”
Boosting social engineering awareness, assessing vulnerabilities and testing for weaknesses company-wide can all be done together for added cost effectiveness.
“The main ingredients for success when it comes to enhancing an organization’s cyber security posture are commitment and regularity,” says Caruso. “Every company relying on the digital world in any form or fashion has to understand it’s not a choice today, it’s a necessity, and they have to be committed to making a stand and following through with it. They have to understand what they are vulnerable to, which can be very unique company to company, and they have to know what their weaknesses are. And it’s not a one shot deal, the process has to be repeated regularly to make sure the organization’s cyber security posture evolves with the cyber threat landscape. That’s why we always recommend combining our professional vulnerability assessments with our comprehensive penetration testing services, and since the human element in any security chain is typically the weakest link, we also put a strong focus on social engineering throughout. And because we have the real-world experience and an extensive, proven background covering a wide array of clients, we can typically flat-rate proposals to take the guess work out of the process. We also try our best to promote regularity by offering even further discounts when organizations sign up with us for bi-annual, or quarterly assessments and testing. The added advantage to that is we will find and eradicate any malware or intrusion that may have come into existence between cycles, and with many intrusions today often lasting months or even years, it’s much better to spot it and fix it sooner rather than later, not to mention far and away less costly to the organization in the end.”
*Global Digital Forensics is a recognized industry leader in the fields of computer forensics, cyber security and emergency incident response, with years of experience assisting clients in the government, banking, healthcare, education and corporate arenas. For a free consultation with a Global Digital Forensics specialist, call 1-800-868-8189 about tailoring a cost-effective plan which will meet your unique needs, without wasting resources on solutions you simply don’t need. Emergency responders are also standing by 24/7 to handle intrusion and data breach emergencies whenever and wherever they arise. Time is critical if a cyber incident has occurred, so don’t hesitate to get help. For more information, visit our cyber security page.