On the heels of the massive Target breach in 2013, we saw several other companies falter this year. eBay, for example, had an issue that originated from a security flaw - an IT expert discovered a vulnerability that allowed him to take control of any eBay account with the only requirement being that he knew the person’s username, which is public information on the site. The rest as they say is history - eBay sent an email out to all users to update their information. However, at this point the damage is done, and the real threat is what can happen with that data out in the world.
The biggest problem with the eBay breach is that in addition to usernames and passwords, additional information include Date of Birth, telephone numbers, and addresses were also included. This means that via some cunning questioning, a malicious entity could call claiming they represent company X, verify your information with you, and then get you to provide the missing pieces of the puzzle they would need to hijack bank accounts and more. This technique is referred to as “Social Engineeringâ€. It isn't limited to phone conversations - emails custom-made for victims can contain private information to look that much more legitimate, resulting in even cautious users giving up the goods as it were, and providing the hackers the information they need to really get started.
Say one of your employees received an email that appears to be coming from your HR department. They may ask to verify some information for company records, and they might send the information that the hacker has, as well as some information that might be an educated guess. The employee, seeing a spoofed email address, doesn't know that the sender is actually trying to steal information from them, so they correct the data and send it back without thinking twice. Because of this, a hacker that has been looking to get into a corporate database now has the credentials to get in without raising any red flags, since they got the username they were missing to get in the system.
This doesn't mean that you don’t need traditional security tools - far from it. If your database doesn't leak, then it is that much harder for hackers to have these extra nuggets of data to help them getting the missing pieces - they need to find the puzzle first. This is more a matter of being prepared for additional attacks that people might not even consider. Even something as simple as providing an email address to a person requesting can be the difference between a hacker getting into your account, or walking away because they are missing the one key they need to get what they want.
This also means that traditional internet security techniques need to spread outside the traditional realm of avoiding funny emails and shoddy websites. Employees and users now also need to be cautious about receiving strange phone calls and text messages as well, things that haven’t been historically covered by IT security training. The biggest thing that you can impart to anyone that works with your organization is vigilance, since so much data is now out and about.
To defend your organization from these threats, a firewall to protect against traditional IT threats is a must, but so is a training plan to educate employees on the potential dangers that exist on the internet. I highly recommended working with a service provider to detail any possible threats and work from there accordingly.
Alejandro
