Anatomy of a social attack
You may have seen the article recently where a Brisbane council was defrauded of significant amounts of money by scammers. While investigations are ongoing, this appears to be primarily a social engineering attack similar to several that we have provided advice on in South Australia over the last few months.
Like the Brisbane attack, attempts at financial fraud are currently active with common themes following the same playbook:
- Choose an organsational target that has access to reasonable funds without being too big so as to avoid process
- Profile the organisation itself
- Profile the power players
- Build an org chart
- Choose two players, usually the CIO and CFO
- Determine when the CIO is away
- Craft legitimate looking urgent e-mails from the CIO to CFO requesting funds using avoidance such as “need this done now” “in a meeting” “must execute quickly”
- Exfiltrate funds
You may ask that, while a business is easy to profile, most don’t place organisational charts on the Internet do they? They don’t, but an org chart can be built by a very useful other profiling tool, one that provides a wealth of information about people, roles, responsibilities, history, skills and business associates.
That tool can be found for free here
While we certainly do not suggest everyone exits LinkedIn in droves, it is worth considering, for those in senior executive positions, how much information is actually divulged.
The best defence is a good offence defence
Defence in depth is an approach used in information security to defend a system against any particular attack using several independent methods. It is a layering tactic, conceived by the National Security Agency (NSA) as a comprehensive approach to information and electronic security.
Defence in depth is originally a military strategy that seeks to delay rather than prevent the advance of an attacker by yielding space to buy time. The placement of protection mechanisms, procedures and policies is intended to increase the dependability of an IT system, where multiple layers of defence prevent espionage and direct attacks against critical systems. In terms of computer network defence, defence in depth measures should not only prevent security breaches but also buy an organisation time to detect and respond to an attack and so reduce and mitigate the consequences of a breach.
The mistake many organisations make is that they see defence in depth as a series of technical controls. While technical controls are important, the way that humans interact with technology is just as important. There aren’t too many technical controls to stop a CFO transferring funds to what they believe is a legitimate business transaction. Social engineering is the new malware because humans are always the softest targets and the only defence against social engineering is user education.
Good user educations programs not only train users to question first, act second but also test the effectiveness of the training on a regular basis. Without a good security awareness program in place, your users are prime targets.