Close this search box.

Did I Just Socially Engineer My Own Identity Theft?

Social engineering is the use of deception to get people to divulge confidential information. On an individual scale, it can be something as simple as disclosing the personal identification number for your bank card, enabling someone to illegally access your funds. On a corporate scale, it can entail the leaking of thousands of people’s confidential information including user names, passwords, identity numbers, etc.

BUI MD Ryan Roseveare says: “Although this type of social engineering can affect the general public and put them at risk of inadvertently exposing confidential information, the biggest threat is to corporates who hold massive amounts of personal data about their customers and their staff. All too often data loss in the corporate environment is simply the result of negligent behaviour by uneducated users who do something as basic as clicking on a malware-infected e-mail.”

According to Roseveare, a big threat to business is where private negligence can cause corporate issues, meaning when people use private devices on their own Internet and for private use. “They don’t even access company resources remotely but then they access applications, or they want to register for the likes of Facebook, and they use their company details (such as their e-mail address) and all too often they also use their work password to register. Hackers then get into the databases for sites such as Facebook, LinkedIn or even Ashley Madison, obtain those credentials and use them for external attacks.”

There have been several well publicised incidents of cyber crime recently, underscoring the need for businesses of all sizes to be vigilant about online security.

How did it happen?

Well, there are several ways in which people can be persuaded into sharing information that they wouldn’t ordinarily disclose. We all know not to click on links in e-mails or to open attachments from unknown sources, but what about that phone call from the bank or your cellular provider asking you to confirm your personal details?

However, not all identity thefts are that simple. In September this year, a US credit reference agency reported a hack that affected the data including credit card details of up to 143 million people. The implications of such a large-scale attack are widespread, including the damage caused to that company’s brand and reputation. It’s believed that the hack took place through a third party company that did business with the credit reference agency.

The right thing to do

What do you do if your customers’ personal data is exposed? Well, the most important thing is to establish exactly what confidential information was stolen. Then you need to let the affected people know immediately, says Roseveare, so that they can notify their financial institutions if their banking information has been breached.

Prevention is better than cure

Naturally, prevention is the preferred route, and there are several measures that businesses can take to identify potential breaches before they can happen. However, says Roseveare, much as in other remedial programmes, the first step is admitting that you may have a problem or, in this case that your system is indeed vulnerable to attack.

It’s important to note that the increasingly mobile workforce and the associated trend towards BYOD (bring your own device) make the job of safeguarding your company’s data that much more difficult. Roseveare breaks it down into three areas: “You need to protect the device, you need to protect the data, and you need to protect the access.

Measures that you could and should implement include multi-factor authentication instead of just a single password when accessing certain types of data, says Roseveare. So a combination of fingerprint, PIN, strong password, even iris scanning or facial recognition can be used to ensure that only authorised users can access certain applications and information.

While firewalls and anti-virus software certainly play integral roles in data security, these are powerless against the hapless individual who opens an e-mail that appears to come from a trusted source.

It may seem obvious, but educating your workforce and other users around the risks inherent in clicking on a link or attachment in an e-mail from someone that they don’t know, is one of the most basic things that you can do to protect your personal data.

Roseveare concludes by saying: “If the information above has sparked a fear that your business could well be vulnerable to attack, then we’ve achieved what we set out to do. A little healthy fear can save your business and your identity from malicious attacks of this nature.”

Ransomware: Are You The Problem?

Businesses around the world were brought to a standstill in mid-May by the WannaCry ransomware attack. But were the affected organisations indeed victims of the ransomware, or of their own inefficiencies?

Ryan Roseveare, MD at BUI, believes the latter. He says, “IT and security professionals at affected companies have to ask themselves some tough questions. How long did it take before you became aware of the problem? Were you notified on the Friday that the attack happened? If you’re a security professional, did you know about the attack as it was in progress, or did you only find out when you arrived at work on Monday morning? What did you do in response to the attack? Did you immediately buy a piece of software to fix the problem? How many e-mails did you receive from vendors trying to sell you products after the fact, or even days later?”

The answers to these questions will define whether you have an effective security response programme in place or not.

Roseveare continues: “If you reflexively bought software, in this case you wasted your money. In fact, businesses didn’t need to spend a single cent to mitigate the WannaCry attack. The bottom line is that if your business was affected by this ransomware, your IT department or security professional either in house or outsourced didn’t do their job.

“In fact, I’d go so far as to say that if your IT security provider didn’t inform you about the WannaCry attack on the Friday as it happened, you need to look at another provider. If they sent you an e-mail marketing a product after the fact, then you need to think twice about their motivation.”

Roseveare believes that if businesses were caught out by this particular ransomware, it was entirely self-inflicted. He says, “If your IT department had been proactive and initiated a standard response process and an effective patch management and update programme, WannaCry wouldn’t have even featured on your radar. If your response was to buy software to protect yourself going forward, you’ve probably wasted your money. In fact, we’re seeing a rise of what we refer to as Ransomware as a Service –  vendors are using ransomware as a marketing vehicle to sell a product. They’re capitalising on an incident that doesn’t actually require you to buy anything, to sell you stuff you probably don’t need.

“A proper security advisor would have told you about the ransomware attack on the afternoon that it happened. If you only found out on Monday about this attack or that your business was affected, then that was far too late you did not do your job and perhaps some introspection is needed.”

Businesses must examine their security response processes in terms of how they managed the attacks. Roseveare explains: “You need to interrogate whether all of your systems could be affected all the time, in this case did you communicate to everyone in your organisation over the weekend to explain what had happened and what they should do about it? Or did you come in on Monday morning, get an e-mail from a vendor and buy some software you didn’t need?

If we look at the timeline below, businesses should have had at least three months to prepare for this particular attack. If you still got caught, then it’s time to reassess your practices and your providers.”

WannaCry timeline

  • 16 January – US-CERT issues advisory on new SMB vulnerability.
  • 10 February – First infection of WannaCry.
  • 14 March – Microsoft releases patch for CVE-2017-0144.
  • 27 March – Second wave of attacks.
  • 14 April – Shadow Brokers releases EternalBlue exploit code.
  • 10 May – CVE-2017-0144 exploit is added to Exploit.DB.
  • 12 May – New wave of WannaCry attacks begins, using EternalBlue exploit to spread.
  • 12 May – Microsoft releases CVE-2017-0144 patch for Windows XP.
  • 12 May – Kill switch domain #1 is sinkholed.
  • 13 May  – A new version of WanaCry surfaces.
  • 14 May – Kill switch domain #2 is sinkholed.
  • 17 May – Notice displayed on infected computers claiming files will be decrypted if ransom is paid.

Roseveare concludes by issuing a warning: “We know that this is going to happen again, WannaCry wasn’t the last ransomware attack, it certainly wasn’t the first one, just this week there has been another outbreak and they are going to continue for the foreseeable future.

“What are you doing to protect your business? Or have you become complacent because you bought something? My recommendation is that you adopt a proactive approach, re-evaluate your policies and responses, re-evaluate your vendors!”

Security As A Service

Today’s IT environment is becoming increasingly complex, with computing assets spanning from on-premises legacy solutions to advanced workloads running as a service in the cloud. The challenge is securing the enterprise without impacting the business’s ability to operate, allowing the ever-increasing demand on mobility to be safe, secure and agile.

Ryan Roseveare, MD of BUI, says: “We’re seeing an escalating number of breaches, both local and international, so concerns around cloud security and identity are very valid and a top priority for all of our customers.”

As breaches, ransomware and modern cyber crimes become the new normal, the cost of security platforms to business is spiralling. According to Microsoft’s 2016 Trends in Cyber Security:

* More than 6 000 vulnerabilities are disclosed per year across the industry.
* 41.8% of all vulnerability disclosures are rated as highly severe – a three-year high.
* The encounter rate for consumer computers was about 2.2 times as high as the rate for enterprise computers (domain joined).

“In South Africa, organisations entering the cloud face the additional concern that their data will be hosted internationally, so the security aspect is very much top of mind for the local CIO considering taking his business into the cloud,” says Roseveare. “As a result, over the past couple of years we’ve seen an increase in the number of companies undergoing the cloud security journey, especially in South Africa where we don’t have any big data centres just yet. We’re having this conversation on a daily basis with businesses that are nervous to ship their data off overseas. They want to make sure it’s secure.”

“Other concerns that we’re seeing revolve around data sovereignty, businesses want to know whether other governments see their data. The perception is that the minute the data leaves South Africa’s borders, we lose control over what happens to it,” says Roseveare.

So South African organisations are caught in a quandary between migrating to the cloud – a non-negotiable for survival and growth – and keeping their data secure while complying with complex local and possibly international regulations. Roseveare says: “When you move your organisation to cloud services, you must be able to trust your service provider with your most important, sensitive and confidential data. Look for someone who focuses on building secure solutions that deliver value to customers, partners, and shareholders alike – both in the cloud and on-premises.”

What makes a good cloud partner from a security perspective? Well for one thing, explains Roseveare, they must address all areas of security, from identity and access to network security, data protection and data privacy. It’s also important that the provider be able to offer a holistic integrated security service as opposed to stand-alone products. Clients who have legislative or compliance requirements around their data, should also request extensive privacy controls and visibility into where their data resides and who has access to it, as well as whether the data is hosted in a single data centre or across more than one, so that should that data centre cease functioning for some reason, the data is still available. Customers with data sovereignty and compliance concerns will be glad to know that two hyper scale data centres are being developed in South Africa in 2018.

“There are three aspects to cloud security,” says Roseveare. “You want to secure your users’ identities, you want to protect your infrastructure and you want to ensure that apps and data are kept safe.”

User identity and customer data must be secured by means of enterprise grade multifactor authentication and information protection, so the use of biometric access controls such as retina or fingerprint scanning, as well as identifying the user’s location, can ensure that only legitimate users can access your data or applications.

Infrastructure management includes protecting mobile users, identifying potential threats and managing security incidents from detection to post-event analysis. The emphasis is on early detection, remediation and notification, which are key aspects of defending against security threats.

The bottom line, concludes Roseveare, is that whether the threat comes from inside your own organisation or from outside forces, you need to know that your organisation’s data is protected, regardless of where it resides.