One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1564782 |
| Date de publication | 2020-02-25 13:00:00 (vue: 2020-02-25 14:01:54) |
| Titre | How to harden your employees from the massive social engineering threat |
| Texte | This blog was written by an independent guest blogger. Social engineering is the art of human deception. In the world of cybersecurity, it’s how to fool human beings in order to conduct cyber attacks. Some of these cyber attacks can be very expensive to your business! In fact, many of the worst cyber attacks to your organization’s network start with fooling you or one of your employees. Penetrating a network without human interaction is really tough. But the people who work for your company have privileged access that can be easily exploited. I was at a Leading Cyber Ladies meetup in Toronto recently, where threat research expert Sherrod DeGrippo visited all the way from Atlanta to talk about how cyber threats often work these days, and what their attack chains are like. I had the idea to write about social engineering before I attended the meeting, but I wasn’t expecting to do research for this post by attending it. It was just a very fortunate coincidence that DeGrippo said some things about social engineering that really captured my attention. After the meeting, we had a quick chat and followed each other on Twitter. During her talk at the meeting, DeGrippo mentioned how she sees a lot of cyber attackers, from APTs to script kiddies, target human beings as an initial attack vector a lot more often than they used to. She said doing reconnaissance for a corporate network is very difficult, whereas doing reconnaissance on a person is a lot easier. We post about ourselves on social media all the time. We talk about the places we’ve visited and the things we like on Twitter. We talk about who our family and friends are on Facebook. And we tell LinkedIn our job titles, who we work for, and what we do there. An individual who works for a targeted company has privileged access to their networks and to their physical buildings. Socially engineer them, and you can get malware on their systems to send sensitive data to a command and control server, or you could possibly walk into an employees-only area of an office. The other thing she discussed which intrigued me is that she sees information security professionals targeted for social engineering attacks more often than ever before, and how we can be really lucrative for social engineering exploitation. Contrary to us thinking that we know better, it often works! I asked DeGrippo about it. She said: "Yes, targeting infosec professionals is my big concern lately. The more sophisticated actors are doing really specific targeting. This includes people in security roles and lots of people in software development roles. There is so much info out there. A job offer, a security report, a discussion of a new technology and a code snippet-- all potential social engineering lures to send to technical people with privileged access.” I said, “Maybe some of us are way too confident. That confidence can be dangerous.” "… totally. I worry about that. I worry that as an industry we are so focused on protecting others that we let our own opsec (operational security) slip or we just don’t have time to focus on it as much. It’s not really hubris in most cases, it’s just forgetting to do a threat model on ourselves.” She also spoke to me about how cyber attackers often choose their social engineering targets. “The thing I like to do is get into the psychology of a threat actor. If I could be anyone I wanted to be, but only online, who would I choose? A software dev at a fancy car company? I could hack some luxury car software to unlock for me anytime, anywhere! A junior HR admin at a large company? Steal a ton of identity and payroll data! Maybe I would be a fancy CFO’s assistant and make changes to deposit instructions for invoices to my own mule account |
| Envoyé | Oui |
| Condensat | “maybe “the ability about access account actor actors actually addresses admin advice after again against all also any anymore anyone anytime anywhere apts are area art asked assistant atlanta attachment attachments attack attacked attacker attackers attacks attempt attended attending attention availability back bank becoming before beings best better big blog blogger browser buildings business but call can candy captured car card cases cfo’s chains changes chat choose clever click clicking code coincidence colleague command companies company concern conduct confidence confident contact contest contrary control cool corporate could course credentials credit cyber cybersecurity cyrus dangerous dark data days deception degrippo deposit dev development didn’t difficult directly discussed discussion disposal doing don’t done doubt during each easier easily easy email emailed emails employees engage engineer engineering enter especially even ever expecting expensive expert explain exploitation exploited facebook fact family fancy fear federal first focus focused focusing followed fool fooling forever forgetting form forms fortunate friends from fud full fun get gets getting going good government guest hack had harden has have her here hour how hubris human i’m idea identity important includes increasingly independent individual industry info information infosec initial instead instructions interaction intrigued invoices isn’t it’s iterate job jokes junior just kiddies kits know knows ladies large lately leading learning legitimate let letting like link linkedin links lot lots lucrative lures luxury made make malware many markets massive matter maybe means media meeting meetup mentioned messaged might minds model more most much mule network networks new not offer office often once one online only open operational opsec order organization’s organizations other others ourselves out overconfident own paint particular pay payroll penetrating people person phishing phone phoned physical picture places plan plans point points possibly post potential privileged prizes probably problem professionals protect protecting psychology quick reading really recently reconnaissance regional remember report research resist roles said said: same scenarios script search security sees send sensitive server service she sherrod show slip snippet social socially software some something sophisticated sounds specific spoke spoofed spot start steal steps stickers sticks streaming subscribe successful supervisor switch systems tab tables take talk target targeted targeting targets taxes teach technical technology tell temptation text than that’s them themselves then there’s these thing things think thinking threat threats time tips titles ton too tools toronto totally tough training true trying turning twitter ultimately uncertainty unlock url use used users utility vacation vector vectors verify very victim video visit visited vivid walk want wanted wasn’t way we’re we’ve weak web website websites what when where whereas which who why win without work works world worry worst would wouldn’t write written you’ll you’re your yourself |
| Tags | Malware Hack Threat Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.