We’ve all heard the common adage about people being the weakest link in security. Lock your workstation when you step away, don’t write your passwords on sticky notes and leave them on your monitor, watch who you’re letting into the building - these security awareness programs were designed to mitigate that weak link.
But is this enough? In a world where everything we do is connected online, every achievement and failure is shared, every part of our life is being integrated with the internet, the answer is no.
In this Golden Age of Information, employee activity at rest (that is, outside of work) is just as important as their activity during work hours.
Open-source intelligence, or OSINT, is a method of collecting publicly available information on entities. There exists an entire framework of free and open-source tools dedicated to finding information on emails, phones, social media accounts, and so much more.
If an attacker wants to target “company-XYZ” one of their first phases of attack is reconnaissance. Utilizing LinkedIn, one can find new employees of “company-XYZ” (because who doesn’t share a new position at a new company?) and begin recon through OSINT tools. Once an attacker has a target, finding additional information, linking accounts, discovering personal email addresses and more is not difficult.
With a personal email address, an attacker can utilize breach databases and websites like "haveibeenpwned" to discover breaches those emails have been connected to along with potential passwords. This is a critical issue when you consider that as many as 65% of people reuse the same password. With possible password(s) at their disposal, hackers merely need to perform a search on hunter.io to gain access to the format of “company-XYZ’s” employee email addresses. Unaware of basic cyber hygiene, new employees, who just wanted to get through onboarding as quickly as possible, might reuse passwords and are now the subject of a security breach.
In 2012, 60 million account credentials were stolen with this very method. A Dropbox employee’s LinkedIn account was compromised and a hacker used that very same password on the employee’s Dropbox internal account. With a solid awareness of personal hygiene, this could have been avoided. In some cases, one compromised account grants hackers full access to entire networks which breaches accounts of shared servers and networks. Strong passwords should be difficult to memorize, use a password manager to track all of them. Other cyber hygiene best practices include installing multi-factor authentication and antivirus software and regularly checking for software updates.
The severity of password compromise cannot be understated when taking the rampancy of password reuse into account. It’s important to be aware of information that may be connected to data loss and websites like "haveibeenpwned" are a great place to begin. If your information is discovered to be connected to a leak, be sure to change passwords for affected accounts with new, strong passwords or opt for passphrases.
Another vector of attack which may or may not be covered in standard cyber security awareness programs (depending on the scope of such programs) is social media. Is your head of IT posting vacation photos on Instagram - displaying to the world that he’s out of the office and potentially leaving information systems in less experienced hands? How about that group photo your intern posted on LinkedIn with a company building access badge clearly displayed around the neck of one of the employees? (which was a real-life example used in a very popular penetration testing course).
Think personal social media use is unlikely to expose critical information? Try again. In June 2021, Congressman Mo Brooks, who sits on a subcommittee that has jurisdiction over the DoD’s policies on cybersecurity, posted a photo of his monitor to Twitter. Taped to the bottom of the screen were his PIN and other sensitive information. The Tweet was then removed and reuploaded with that information cropped out.
If a congressman can make that mistake your employees can too.
Oversharing isn’t just limited to photos either. Social media is a great place to talk about your favorite sports teams, pets, previous schools, first cars...Does this sound familiar? That’s because these are common security questions for password resets and other account access entries. Even just one mention of which team you’re rooting for or your dog’s name can give attackers enough pieces to create a detailed puzzle.
Social media is a treasure trove of information for any attacker. Be sure you’re aware of the information you post and don’t be afraid to purge old information every now and then. The more information you leave, the easier it is to exploit that information. Attackers often collect information via social media to create relevant phishing messages or emails. This tricks targets into opening suspicious links and downloading unauthorized attachments and malicious software. While malware is typically sent through emails, some hackers have begun delivering it through social media platforms.
Companies need to develop a robust and regularly updated security awareness training program. Employees need to be able to identify social media phishing attempts and spot spoof brand accounts. Other best practices include regular security patches and creating clear social media usage policies that regulate what information is shared on these platforms and how to go about remediating risks.
The End Goal
In this era, it’s not enough to just educate your employees about security at work. Until security awareness and cyber hygiene permeate our daily lives, these threat vectors will still exist and will still be a leading cause of breaches and attacks. One of the steps to creating a world of permeated security awareness is developing a risk-aware culture both within and outside your organization. Observing your security posture through a “risk-first approach” lens better equips you and your teams to establish a proactive response to potential threats.
Risk management and proactivity don’t have to be complex. To see how CyberStrong can simplify risk management and empower your teams with unparalleled visibility into risk, contact us.