Cybercrime syndicates as well as so-called hacktivist groups continue to develop and fine-tune techniques aimed at extracting sensitive corporate and government information using weak passwords and social media activities of personnel, warned Bryan Lillie, chief technical officer of United Kingdom-based defense technology company QinetiQ.
“Integration of systems means successful attacks against one system can provide access to another system,” Lillie explained during his presentation on the dangers of connected systems at the recently concluded Best Defense 2015 conference presented by the London Economic Development Corp. in London, Ont. “Systems that were once self-contained are now configured and controlled via Internet connected systems…Where are the boundaries in connected systems? There really isn’t one.”
His presentation provides some useful takeaways for chief security officers (CSO) as well as IT managers.
Lillie said attackers often employ a combination of physical and cyber-attacks.
For instance, in 2011 the hacktivist group Anonymous carried out an online attack and stage a physical protest targeting San Francisco’s Bay Area Rapid Transit (BART) system. The result was massive disruption of the ground-based public transportation system that included the closure of four transit stations and the shutdown of cellular phone services in tunnels and stations.
While interconnected and interdependent systems have increased the vulnerability of organizations, Lillie pointed out that one of the greatest risks comes from insider threats posed by human behaviour and vulnerabilities to social engineering tactics.
Recently, he said, cyber-spies created a fake Facebook page for United States Admiral James Stavridis, the supreme allied commander of the North Atlantic Treaty Organization (NATO). Several British military and government officials were duped into accepting a Facebook friend request from the bogus Facebook page.
Attackers find it easy to gain access to corporate and government networks and steal sensitive data because of:
- The prevalence of weak passwords
- Poor security procedures (unregulated social media use, I.D badges worn offsite)
- Staff that readily share company information over the phone even to unknown callers
- Personnel clicking on links and URLs that link to malware
- An underlying belief that security is part of the bureaucracy and not really necessary
According to Lillie IT decision makers can lessen the cyber-risk exposure of their organization by asking themselves the following questions:
- What information about my organization can be found through online search engines?
- What online groups and sites do our personnel use?
- Is it possible to identify which technologies and systems our organization is using?
- Are staffers able to recognize potential security threats?
- Do our personnel know what to do when they encounter a potential security threat?
Lillie concluded that organizations need to exert more effort in educating staff on security, integrating physical and cyber security as well as continually measuring and testing system performance and protection to stay on top of security threats.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…