Peel back the layers of most enterprise data breaches, and credential theft will be at the center.
For an attacker, user credentials are worth their weight in gold, and getting them means exploiting the weakest link in the chain of cybersecurity: people.
Even in 2020, social engineering remains arguably the most reliable tool in an attacker’s toolbox. Whether it’s an email lure or a dubious phone call, targeting user credentials through these schemes is a critical step toward compromising a business; protecting those credentials, therefore, is a vital step toward establishing a secure environment.
Doing that, however, involves understanding how and why social engineering works and implementing effective controls to bolster your digital defenses.
The Human Factor
Cybercriminals love low-hanging fruit. Buying a zero-day exploit on the dark web can be expensive; by comparison, taking advantage of human weakness is cheap and easy. According to IDSA’s latest research, “Identity Security: A Work in Progress,” the most common cause of identity-related breaches during the past two years is phishing. Other reasons include poorly managed privileges and brute-force attacks.
Whatever the cause, the result for businesses remains costly. In 2019, the FBI’s Internet Crime Complaint Center recorded almost 24,000 complaints about Business Email Compromise (BEC) scams, which, when taken together, cost victims more than $1.7 billion in losses. BEC scams target specific types of employees with spoofed emails designed to trick them into transferring money to the attacker. These emails often appear to come from a legitimate source, such as a vendor or high-ranking executive.
Impersonating a trusted party in this way abuses the faith legitimate users have in one another and is a key feature of many forms of social engineering. In the physical world, it can take the form of tailgating, where an unauthorized person sneaks into a restricted area by walking behind a legitimate employee. Another technique is vishing, where a scammer places a telephone call to a target and uses a pretext to obtain information to facilitate identity theft or unapproved access to the network (often using caller ID spoofing to add to their authenticity).
By far, however, the most common social engineering attack technique is phishing. Like all social engineering schemes, phishing seeks to exploit human frailty: our willingness to open an email about our jobs or that appeals to our personal interest. Whether it’s an email about a global pandemic or a suspicious message about an invoice, threat actors can be counted upon to try to craft the best bait for their hook.
Building a Strong Defense
Fighting back requires a multipronged strategy, starting with applying the principle of least privilege ensuring that users have the right access to the right resources at the right time in order to do their jobs. Enforcing minimal user rights reduces the potential damage an attacker might inflict with a set of compromised credentials. It’s also one of the core security outcomes recommended by IDSA. In the IDSA report mentioned above, it was one of the most commonly implemented security approaches among those surveyed.
Another critical identity-centric outcome is multifactor authentication (MFA), especially for privileged accounts. MFA is also among the most widely implemented approaches to identity-centric security, along with the ability to continuously discover user access rights and revoke access based on the occurrence of high-risk security events.
Defense-in-depth, however, can’t focus solely on technology. It’s also a matter of awareness and policy. Security awareness efforts that promote best practices enhance security posture. Creating a culture of awareness bolsters security defenses, and when done in a supportive and non-punitive way, encourages employees to adopt more secure behaviors. These training programs should be role-based and updated regularly in response to new social engineering campaigns and tactics.
Strengthening Security
Social engineering and credential theft are core components of cybercrime. Placing identity at the center of your security strategy, however, takes some of the teeth out of these threats. As organizations seek to strengthen their security posture, implementing a Zero Trust approach can help you enable employees to do what they were hired to do without accepting the risks that come with over entitled accounts. Security and identity management solutions that support this approach can help you move in the direction of building a more secure enterprise.
Join me September 3rd, for an insightful webinar – Hacking Identity: The Good, Bad and Ugly of Identity-Centric Security Controls – where I’ll dig deeper into the tricks used by hackers to steal credentials and how you can reduce the risk through identity-centric security.
About the Author: Jerod Brennen (@slandail) is a storyteller, teacher, speaker, advisor, and security architect. He works as an Identity Strategy and Solutions Advisor for SailPoint. By night, he’s a husband, father, writer, filmmaker, martial artist, musician, and gamer. It’s fair to say that he’s earned every gray hair in his beard, having spent his career fulfilling infosec roles in consulting, higher education, retail, and public utilities. Jerod loves to share what he’s learned over the years every chance he gets: at local and regional professional meetings, at larger conferences, and online via blogs and podcasts. He has published multiple online information security courses with Pluralsight and LinkedIn Learning, and he also teaches courses in person, both domestically and internationally.
