Avoiding “obvious” data breach errors, Part 1

Don't make the same mistakes as others. There's no longer any need.
13 October 2022

If you’re going to make data security errors – at least, make new ones.

“Let the shipwrecks of others be your sea-marks” is a Danish proverb, which translates as “learn not to make the same cataclysmic data security errors as others have made before you.” With the likes of the Uber hack, the IHG hack and others strong in our minds, we sat down with David Burden, CIO of digital identity specialists, ForgeRock, to ask how we can at least not make seemingly “obvious” data security errors in light of these cases.

THQ:

How good a security tool is multi-factor authentication, on average? After all, in the IHG case, it seems as though two amateur hackers managed to get past MFA with very few problems.

DB:

Well, the good news is that I think multi-factor authentication can let you breathe and sleep a little bit more soundly. But bad actors are always catching up. So if you look at the Uber incident, no-one can be thinking “that” will never affect them – whatever “that” is in their minds, be it MFA-failure or anything else. And that applies from small companies to very large ones. We’re all absolutely prone to this in the current environment. But for instance, Uber probably had MFA in place. We’ve all read the articles, but no one truly knows what happened. But I’m sure if the company had MFA in place, people are starting to work around that, focusing on MFA fatigue. I think that’s probably a way access was granted on this occasion. If not that, then creating fake websites or spoof websites to socially engineer their way in, saying “Please go to this site to enter your MFA credentials.” I think that’s a way in.

Technology is a great start, and it’s where our protection starts. But it’s got to be coupled with lots of other things. Great policies, training, education, awareness. Technology gets you very much there. But you know, as you know, social engineering can be your Achilles heel at times.

The perils of user fatigue

THQ:

Is user fatigue a potentially a factor that we need to start working into our cybersecurity defense mechanisms? Are we that jaded with the likes of MFA already that we’re looking for the next, easier thing?

DB:

Yes, I think people are getting fatigued with the security aspects. Generally, you want as seamless an experience as possible for your users. And you have to strike a balance between security and productivity. So it’s important to get that balance really right because otherwise, it’s not just bad actors trying to get into your systems, employees get fatigued and find a way around for themselves! Or try to get around that productivity aspect by trying to work their way around it. It’s human nature to avoid fatiguing, irritating processes. Make it too complicated, and people will start looking for loopholes themselves.

So I do think fatigue is an issue with this, but the way you configure your setup is crucial too.

There are ways of using AI to secure your enterprise, because it can get you closer to that seamless feel for your users. Again, it’s about striking the right balance between security and productivity.

THQ:

So an overly complex access system can end up doing the bad actors a favor?

DB:
Right. You facilitate bad actions by putting additional strain on your workforce.

Social engineering and the hack Svengali

THQ:

You mentioned the social engineering element of bad actors getting access. Talk us through that. Is it as simple as creating a fake website, giving a prompt to go to the website to validate your MFA, and bang, now a bad actor has control of your access? Or is there more to it than that?

DB:
There can be more to it than that, yes. Bad actors with the social engineer’s touch, for instance can go to LinkedIn. There’s lots of business-specific, role-specific, and hierarchy-specific information on LinkedIn. Your role in the company, and if you’re new to that company, who your boss is, who the CEO is, etc. I’ve seen in other companies there were challenges with bad actors trawling social media, looking for a junior member of staff, maybe in the finance department, who’s just started at that company. They find out their email address, and then ping them at a very stressful time such as month end or Monday morning, purporting to be the CFO asking for sensitive data on customers or invoices outstanding, and then following that through.

So you’re catching someone who’s junior to the workforce, probably intimidated that they’ve had an email from the CFO already, not understanding how the company works. That’s the prime time to use someone like that as an attack vector. So again, technology is the mainstay of economic defense, but a ton of education and training can help defuse that attack vector, too. We frequently talk to our whole team about the pitfalls of social engineering. Be careful what you’re sharing online, but also to constantly question right, and when they get communications from something that doesn’t seem like a proper source to really validate that and think about it, and think of ways to make sure that what you’ve been sent is valid before you respond and become an unwitting attack vector.

The dangers of the human factor

THQ:
So social engineering is about exploiting the human factor – putting people into an enhanced state of anxiety about deadlines, or pressure, or what sort of trouble you could be in, so you’ll respond as you’re told to respond, rather than as you should respond, which is to think about it critically?

DB:

Exactly. That can work extremely well if you’re in an HR team too. You’re always contacting people, receiving resumes. If the hackers have been keeping an eye on LinkedIn, there’s nothing to stop them sending you a resume for a job you’re posting, which can contain malware, or sending you a Dropbox link or something similar that leads you to a site.

THQ:

Yes – that’s exactly how the Golden Chickens malware operated. Using HR functions – either posting job vacancies with downloadable job descriptions, or sending resumes for available jobs, and including the malware in those documents.

DB:

That’s the importance of increased awareness, increased investment in staff education and training, making staff aware of what should be shared what shouldn’t be shared publicly on social media, because it’s a massive way in for bad actors.

 

In Part 2 of this article, we’ll tackle other forms of validation, data access, password hygiene, and how to not make some more obvious data security errors.