Skip to main content

Attackers have more potential entry points into your organization than ever before. And many are brushing up on their acting skills, getting more creative and increasingly personal to spoof the most unsuspecting employees and launch their attacks

 .

New IDSA Survey Indicates Decreased Confidence in Securing Employee Identities  

Nearly every part of daily life — at home and work — turned upside down last year. The global shift to remote work and eLearning, large-scale investments in SaaS and cloud services and strong focus on digital transformation has brought a surge in newfound technologies and identities.

According to the “2021 Trends in Securing Digital Identities” survey from Identity Defined Security Alliance (IDSA), 83% of IT security and identity professionals experienced an increase in identities since last year, with one in five (20%) reporting that the number of identities they manage increased by more than 25%. Meanwhile, security teams’ confidence in their ability to secure employee identities dropped from 49% to 32%.

This decrease in confidence in securing employee identities is particularly interesting on several fronts.  First, the survey found that confidence levels in securing privileged users, customers and partners remained fairly steady. And in contrast, respondents reported increased confidence in securing machine identities, such as service accounts and applications. So why are employee identities, specifically, becoming harder to secure? Perhaps it’s because attackers are changing things up.

The New Faces of Privileged Users

One thing that hasn’t changed is the way attackers establish initial entry points into target organizations: credential theft methods like spear-phishing and impersonation are as popular as ever. In fact, the 2021 Verizon Data Breach Investigations Report (DBIR) found that 36% of all breaches last year involved phishing — up 11% from the previous year. Since employees are conducting more and more of their personal lives online, it’s becoming even easier for attackers to gather the necessary information required to execute their social engineering campaigns — monitoring public profiles and social media conversations to collect intel on everything from work routines to personal relationships, beliefs, motivations and more. After sizing them up, attackers often connect with their targets on social media and attempt to gain their trust.

What has changed are the individual targets of these social engineering attacks. Traditionally, adversaries focused their attention on IT admins with highly privileged access. But as the “The CISO View 2021 Survey: Zero Trust and Privileged Access” recently discovered, they’re going after new user populations, from executives and software developers to end-user employees — including business users with direct access to sensitive data or systems the attacker is interested in. Let’s review some of these new user populations and highlight examples of how they can become victims of social engineering attacks:

The Developer

This software engineer leads a team of developers at a leading financial institution, and her impressive list of technical certifications features prominently on her LinkedIn profile page. Outside of work, she’s building a large social media following of coders who flock to her channels for a mix of dry humor and deep programming know-how. A few months ago, a fellow developer connected with her on LinkedIn, referencing their shared interest in Python and Ruby programming languages. They soon became fast online friends. One day, this new friend mentions that a cousin is looking for a development job in the area. The software engineer promises to pass along her information and soon receives the cousin’s résumé in her work email. She clicks on the résumé and skims it before forwarding it to HR. Little does she know that her “friend” is really a cyber attacker who created a fake online persona and has spent months building a rapport with her in order to send that email, which contains malware cleverly disguised in the attachment. The developer’s LinkedIn profile, coupled with her daily social posts, helped the attacker gauge the high levels of access she likely had at her employer organization, and unintentionally, painted a target on her back.

It’s not just human developers that attackers are after. They know privileged credentials and secrets are often embedded directly into code and target application and machine identities as a way to launch attacks that can spread across customer-facing products — and in some cases — infect the entire digital supply chain.

In some instances, attackers are able to bypass the credential theft step altogether by impersonating an executive or third party to make direct requests for funds or data. Consider these next two business user examples:

The Middle Manager

This financial controller works at a large manufacturing organization. It’s Monday morning, and she’s just beginning her day. Coffee in hand, she opens an email marked “urgent” from the CEO of her company’s parent organization, which is located halfway around the world. He explains that the banks are closed for a holiday, and he needs to urgently wire funds to a third party to close a big deal. She’s suspicious, but the email looks legitimate and comes from the CEO’s verified email address.

Suddenly, her phone rings. It’s the CEO calling from overseas to follow up. He explains the situation again, providing all of the necessary information on the company and transaction. The financial controller follows protocol, getting a second team member to review the request and verify the details. Then, they authorize the wire transfer. Just a few hours later, they realize the call was a scam — and the company is out millions of dollars after trying unsuccessfully to cancel the transaction.

The Research Assistant

Working for a prominent biotech company, this researcher is developing a new lifesaving drug. His team collaborates with analysts in a partner healthcare organization, and each team member has access to large amounts of sensitive patient and medical data to fuel their research.

One day, he receives an email from a partner analyst asking him to send over the latest data. Since he works with this analyst regularly, he attaches the requested information without a second thought and hits “send.” However, this highly lucrative intellectual property hasn’t gone to his trusted research partner — instead, it’s now in the hands of a nation-state attacker.

End-Users are the New Privileged Path of Least Resistance to Valuable Systems and Data

Employee or contractors with high-value access are becoming more interesting targets for attackers for several reasons. Like everyone, they want to work smarter — not harder. Rather than breach an arbitrary workstation and then move around the network searching for a particular system, attackers can pursue more direct routes by precisely targeting individual end-users.

Emphasis has also shifted to end-users because it’s becoming more difficult to compromise IT admin accounts. Many organizations are aware that damaging breaches occur when attackers obtain powerful admin credentials and have put strong controls in place through a privileged access management system. What’s more, opportunities for lateral movement within the network are getting harder for attackers to find. As more organizations move to a Zero Trust model, more endpoints connect to resources directly rather than being given broad access.

Protecting End-User High-Value Access

The first step in protecting high-value access is identifying the employees and third parties who directly touch your company’s valuable systems. Depending on your organization, these could be financial systems, customer databases, product development systems or manufacturing processes.

Then, consider all of the ways these systems and data can be accessed by users: through what applications and infrastructure, interacting with which other types of users and using what devices?

From there, focus on implementing a strong mix of Identity Security controls, such as least privilege enforcement and adaptive MFA, along with targeted user training to raise awareness and strengthen security practices.

Comments

Post a Comment

Popular posts from this blog

Elon Musk wants Twitter to be a free speech town square

  Elon Musk wants Twitter to be a free speech town square by   daysall     April 18, 2022 0 SHARES Elon Musk’s vision for Twitter is a public town square where there are few restrictions on what people can or can’t say on the Internet. But the utopian ideal envisioned by the Tesla CEO ceased to exist long ago and doesn’t take into account what’s happening in the real world, tech executives, Twitter employees and Silicon Valley insiders say. As Musk seeks a $43 billion hostile takeover bid for Twitter, critics say his ambition for what the platform should be — a largely unpoliced space rid of censorship — is naive, would hurt the company’s growth prospects and would render the platform unsafe. Twitter, Facebook and other social networks have spent billions of dollars and employed armies of people to create and enforce policies to reduce hate speech, misinformation and other toxic communication that degrades public discourse. In doing so, they’ve provoked the ire not o...
Post a Comment
Read more

Trump Reportedly Told Jeffrey Rosen to Call Election 'Corrupt' Days After Barr Resigned

00:40 Share on Facebook Share on Twitter Share on LinkedIn Share on Pinterest Share on Reddit Share on Flipboard Share via Email Comments U.S. DONALD TRUMP 2020 ELECTION Trump Reportedly Told Jeffrey Rosen to Call Election 'Corrupt' Days After Barr Resigned BY  MARY ELLEN CAGNASSOLA  ON 7/30/21 AT 1:14 PM EDT Notes of a December call made by President  Donald Trump  to senior Justice Department officials, released Friday by the House Oversight Committee, show Trump urged those officials to publicly declare the results of the 2020 election "corrupt." Handwritten notes from one of the participants in the December 27 conversation demonstrate the lengths Trump went to in an attempt to reverse the results of the election and gain the support of officials in law enforcement and government leadership. Last month, emails from Trump and his allies in the final weeks of his term in office revealed that they attempted to pressure the Justice Department to look into their unsubs...
Post a Comment
Read more

The US and China both have their eyes on a country at the heart of the Indo-pacific

Indonesian light frigate KRI Bunt     Tensions continue to rise in the Indo-Pacific, where China's economic growth and military modernization have drawn the attention and concern of politicians and defense officials in the region and around the world. As China and the US compete for influence in the region, they are setting their sights on a country that has historically resisted getting involved in foreign affairs: Indonesia. With over 270 million people, Indonesia is the fourth-largest country in the world and the third-largest in Asia. Made up of over 17,000 islands that straddle the Pacific and Indian oceans, it has a commanding position over the vital Strait of Malacca and the traditional maritime approaches to Australia. "The geopolitical challenges of the future, Indonesia sits in an incredibly important strategic location," Michael Green, senior vice president for Asia and Japan chair at the Center for Strategic and International Studies, told Insider. Indonesia...
Post a Comment
Read more