Since attackers commonly use social engineering to infect users, training becomes imperative to educating your employees about the signs of social engineering. Email is the most common way of influencing end users and leaves them vulnerable on a variety of levels since we all use email as a communication tool. As these types of attacks mature we’re seeing incredible detail and execution that fools even the most cautious users.
In one incident a VP of Finance, soon to be a CFO, received an emergency request from the CEO that required a wire transfer to a business account. The email was very convincing and appeared to be from the CEO of the organization, with a specific time deadline, and was very effective at fooling the VP into sending the money. The loss was not only $250,000 sent to an unknown account, but the VP was released for the oversight. In the scramble to learn what had been done we learned that the email was so well crafted, and the VP was usually the best at detecting malware emails and submitting them for review. But why did she fail to detect this one and what could we learn to prevent something like this in the future?
We came to the conclusion that she probably shouldn’t have been held accountable due to the timing and execution of this email, with very few telltale signs to indicate that this email was not legitimate. It had the correct return address, used the same signature, formatting and was even short if not a curt request for immediate attention that matched the sender’s previous emails. We determined that with training and sending practice emails threats like this can be stopped at the entry point, at the beginning of the process where our weakest links exist. Anti-virus, firewalls, and other filtering or prevention techniques are just not effective against threats that carry no payload. Or if there is payload like Ransomware attached or linked in the emails they are so new and look legitimate so that the best protections in the world look past them initially since they appear legitimate.
There are methods of sending out test emails that mimic the situations where users will be tempted to click through and execute an alert on our end that the end user failed to detect our subversive mail. At this point we record that, alert the end user to not click through on suspicious emails and collect data across the organization so that corrective training can be prepared. We’ve learned that this training brings with it a near perfect success rate as we train and coach repeat offenders to learn exceptional detection techniques for malware emails.
There is only so much technology an organization can deploy, manage, and update for network intrusion prevention but at the end of the day our weakest links exist between the keyboard and chair.
In a quickly expanding technological world it’s important to remember that training is a much less expensive prevention technique you can employ on a moment’s notice.
As for the VP of Finance, we worked with the CEO to recognize the inevitability of the attack and its particularly vicious method of intrusion. He agreed to re-hire because in his own words, “she was the best he had ever worked with.” Don’t lose a great employee for failing to give them the tools to be successful! Prevention is better than the cure.
The original question was what is the weakest link in your network security? The people you employ. Let’s help them to become human firewalls and avoid costly mistakes with simple but effective training.