You’ve probably heard about the big security breach suffered by Twitter. You may also have heard that it was a social engineering and spear-phishing attack on Twitter employees that caused the breach. The attackers accessed the company’s powerful customer administration tools – something akin to the “crown jewels”. This incident affected dozens of user accounts, including those of Joe Biden, Bill Gates, Elon Musk and Kanye West.
It’s alarming to think that a company as big as Twitter didn’t have appropriate proper security measures in place when they knew they were a target. They should have been able to stop an attack that seemed to take a few teenagers only a few hours to perform with some social engineering and spear-phishing emails. But while the attack itself may have only taken a few hours, it’s likely the result of many days of research and planning.
Regardless of whether it took the attackers hours or days to plan and execute the attack, it should not have been successful. Twitter knows it is a big target, for many reasons.
People, process and technology
The challenge is that every company does risk management differently and there is no standard for completely securing an organization. Often, organizations in regulated industries, or with more valuable corporate customers, have very strict policies and processes, along with appropriate security technologies. This usually makes it harder – but not impossible – for attacks like this to be successful. And without a solid, well-planned security framework in place, attackers can often do the research to find weaknesses and limitations that can be most easily exploited.
For example, a high profile organization may have the budget allocated for security technologies like Multi-Factor Authentication (MFA), which can reduce the risks of simple stolen passwords. However, an employee can be tricked into using their legitimate access to do something they think is helpful for a co-worker or customer, but which really benefits the attacker. So, there are often key processes and people that are very difficult to “configure” in ways that will thwart a determined attacker.
I know the policy, but I’m really not a target, so…
Most people don’t realize the amount of time some attackers are willing to put into researching their targets and launching multiple “mini-attacks”, just to learn about the limits of an organization’s defenses. There are documented stories online of how social engineers have made as many as 7 different phone calls to employees in different functional departments of a target organization, before sending a spear-phishing email to a new employee. The final stage of the attack may look simple, such as an email with an attachment they need to review.
All of the above research can result in a high probability that the employee would open an attachment or click a link that could successfully launch malware onto their computer.
The main problem for organizations, even if they have good security policies and procedures, is that most employees don’t feel they are likely to ever be targeted. They really can’t imagine a scenario that would result in an attacker exploiting them. It just seems too implausible.
There may even be dis-incentives such as customer service representatives whose bonuses are tied to reducing costly management escalations – so they may try extra hard to please a caller. This can cause them to let their guard down in a very predictable way when a social engineer calls them. The benefit outweighs the risks in the employee’s mind.
Employees need to understand why and how the organization could be targeted [Hint: Mock phishing emails aren’t enough.]
Any organization can be targeted because of their own valuable information or systems. They are often chosen because of their close connections to customers, partners or suppliers, which might be the ultimate target. So, any unsuspecting employee is likely to be on the path of a social engineering attack.
This makes it increasingly important for every employee to not only know the standard security policies, but to be practiced in the kinds of situations they may face that could really expose data or systems in a social engineering attack.
What kinds of training programs can address risks from social engineering attacks?
Your organization may have a program that tests employees with live, mock phishing exercises. This is a good start for getting employees to realize that they can be targeted. But they are often not targeted enough, or relevant enough to illustrate to employees how they can be targeted.
If your team assumes the only way they are likely to be attacked is with a standard phishing email, it may be time to initiate a more comprehensive defensive training program, such as the gamified social engineering training offered by Click Armor. Our gamified awareness training platform is specifically designed to allow people to learn through interactive challenges, and then exercise those skills in gamified simulations.
If you’d like to learn more about our off-the-shelf gamified awareness programs, or about our services for bringing your own awareness training content to life through gamification, please contact us.