Tag Archives: social engineering

Cloud Computing: Good, Bad & Ugly

18 Jan 17
lverbik
, , , , , , , , , , , , , , ,
No Comments

When a network of IT gadgets like routers, DVR machines and closed-circuit TVs can take down hardened, well-provisioned Internet giants like Twitter, Spotify and Amazon – as happened last October – you’ve got to think twice before moving your data to the cloud.

Yes, a move to the cloud can yield big payoffs in terms of cost savings, increased efficiency, greater flexibility, collaboration for your workforce and more. Yet there is a dark side. It would be naive to think otherwise. Your choices about whether and how to use cloud technology in your network merits serious consideration.

So, just what is “the cloud”?

Instead of constantly buying new equipment and software, cloud computing allows you to pay for just what you need. Just as with a utility company, you get software and storage on a monthly basis, with no long-term contracts. Chances are, most of the software you now use is cloud-based. You simply access it on a pay-as-you-go basis.

Similarly, you can store data in the cloud, where it can be easily accessed when you need it. This reduces the need to buy and manage your own backup gear and software, thus reducing overhead. Yet, as with any major decision, it’s critical to be aware of both the benefits and pitfalls of putting your company’s data in the cloud.

The Pros

There are three major advantages offered by cloud computing:

  1. Scaling up or down can be done without major investment or leaving excess capacity idle. It also enables your entire workforce to get more done, where and when they need to.
  1. With data and software in a shared cloud environment, staff can collaborate from anywhere. Everything from HR to accounting, and from operations to sales and customer relations, can be managed from diverse and mobile environments, giving your team greater power to collaborate effectively.
  1. Disaster Recovery. Typically, data stored in the cloud can be easily retrieved in the event of a disaster. It also augments local backup and recovery systems, adding protective redundancy.

The Cons

While the cloud offers obvious benefits, it also increases your company’s potential “attack surface” for cybercriminals. By spreading your communications and access to data beyond a safe “firewall,” your network is far more exposed to a whole bevy of security concerns. Many of them can be addressed with these three best practices:

  1. Social Engineering Awareness. Whether you go cloud or local, the weakest link in your network is not in your equipment or software; it’s in the people who use them. Cybercriminals are aware of this fact. And you can count on them to come up with an endless variety of ways to exploit it. One day it’s a phone call ostensibly from your IT department requesting sensitive data, the next it’s an e-mail that looks official but contains malicious links. Make sure your employees are aware of and trained to deal with these vulnerabilities.
  1. Password Security and Activity Monitoring. Maintaining login security is absolutely critical any time you’re in a cloud environment. Train your staff in how to create secure passwords and implement two-factor authentication whenever possible. Take advantage of monitoring tools that can alert you to suspicious logins, unauthorized file transfers and other potentially damaging activity.
  1. Anti-Malware/Antivirus Solutions. Malicious software allows criminals to obtain user data, security credentials and sensitive information without the knowledge of the user. Not only that, some purported anti-malware software on the market is actually malware in disguise. Keep verifiable anti-malware software in place throughout your network at all times, and train your employees in how to work with it.

The One Attack No Tech Can Stop

22 Sep 16
lverbik
, , , , , , , , , , , , , , , ,
No Comments

You can defend your data with all the latest and best technology. But if just one team member gets tricked into giving away the keys to the castle, it’s game over. Hackers know this. And that’s why so many use social engineering to break in.

And it’s not just the big companies you hear about on the news. On February 3, 2016 a suspect posing as the CEO of Magnolia Health Corp. obtained a spreadsheet with sensitive data about their employees. On February 23, someone posing as an employee of Central Concrete Supply Company obtained confidential W2 records and disappeared with them.

In a 2011 survey, Check Point Software Technologies found that nearly half of the companies surveyed reported one or more social engineering attacks resulting in losses ranging anywhere from $25,000 to $100,000 per occurrence.

Unfortunately, there just aren’t any whiz-bang tricks or tools that will automatically prevent a clever “social engineer” (SE) from breaking in. The keys to protection are awareness and vigilance. To help you know what to watch for, here are five common ploys – and how to deflect them:

Familiarity – In this type of scheme, the hacker becomes familiar to an employee. Social networking sites can reveal an employee’s schedule and favorite hangouts. The hacker might then frequent the same bar or restaurant. After a drink or two, some key fact may slip out… The best way to bust this ploy is to be careful to not get lulled into a false sense of security around people you haven’t thoroughly vetted.

The Consultant – A social engineer poses as a consultant for hire. Once they get the gig they can scoop up all the info they need from you and your team because of their seeming authority. Watch for this especially with IT consultants. Do NOT trust blindly. Vet every consultant, and never give all the keys to the kingdom. Just because someone has the skills to fix your server or network doesn’t mean they won’t steal your data. Vet thoroughly, and, as Ronald Reagan said, ‘trust but verify’.

Piggybacking – The SE waits by a secured door for someone to use their passcode and enters right behind them. Or the SE struggles with a heavy box and asks a legit employee to hold the door open for them. Being kind and helpful, the employee helps the SE right into the building… free to do as they please. To foil this one, never forget the dangers of allowing a stranger in without proper clearance.

The Interview – Key information often escapes during interviews. A smart social engineer will gain an interview and deftly pick up all the information they need to hack into your network. Make sure any data provided during an interview offers nothing in the way of secrets. Keep the conversation light, or even superficial to avoid leaking critical data.

Angry Man – You may have seen this on TV… Somebody has an angry tone on the phone, or is grumbling to themselves as if they’ve just had an argument. We all tend to avoid people like that. Enough people avoid them and the way is cleared into the heart of the company – and your data. Don’t go along with it. When you see this exploit unfolding, call security.

The key to preventing social engineering attacks is a well-trained workforce. You and your people may be your company’s greatest asset. Yet without regular, proper training, human beings can be the weakest link in your company’s data defenses.

Contact a TechnoPro for more information.