I am reminded of the wisdom of the old saw that “no news is good news” as almost every day brings us headline after headline highlighting that yet another company has experienced a systems breach and valuable data has been compromised. Companies continue to increase the amount of money spent on cyber security in an attempt to stay ahead of the attackers, and identifying the right level of investment in the right security solutions remains a challenge. In talking with the Chief Information Security Officer (CISO) of a large enterprise recently, we were somewhat taken aback by his candid feedback that the quickest way to still draw business attention – and funding – for cyber security projects, is to suffer an actual breach! Read More »
An enterprise can pay hundreds of thousands of dollars or more for the latest security software and imagine itself protected from targeted attacks that come in via the network. But if the threat is a real-live person who walks in the front door of an office or server farm, what good can the network edge software do?
Clever criminals are seeing bigger payoffs in showing up on-site to physically plug into a network rather than crafting phishing emails with links that lead to compromised websites. (Not to say that spam and other online social engineering campaigns have gone away; see the Cisco 2014 Midyear Security Report for more.) Simply being able to plug into an Ethernet connection or unplug an IP phone and use that cable to access network information can have serious consequences. Social engineering is the act of hacking people. Therefore, people—your employees—become the weakest link in your digital and physical security posture.
Criminals use similar tactics for social engineering an in-person visit as they do with emails and compromised websites. The point is to build trust (albeit misplaced) with someone who can grant access to company premises.
By researching a targeted employee on LinkedIn—for instance, discovering everything from the tasks they perform on the job to where they went to college and which sports teams they like—the criminal can present himself or herself as someone the target might know or have reason to trust. Thanks to the popularity of social networking, especially among professionals, there is a wealth of information and photos easily available to anyone who needs to get a literal foot in the door.
Armed with background information gleaned from online searches, a criminal can pretend to be a journalist and request an interview or claim to be a potential partner or customer and ask for an in-person visit. The criminal might also wear a fake badge to provide the illusion of authority.
Criminals have also figured out that they do not need to launch such scams at the front door of the organization they are targeting. Instead, they will target a weaker link: that is, a less secure business partner or supplier that has access or connectivity to their real target, which is the network. This is an especially effective technique to use when the security of a target is high, but the security of a trusted business partner of your target is not. Hackers will always try to find the easiest route in.
A mitigation approach for social engineering-based security breaches that involve gaining physical network access is to make sure network access ports enforce authentication and authorization before granting network access.
In addition, organizations can build “dynamic security domains” per user, per device, per user and device, or any other configuration needed. These dynamic security domains can use technology such as 802.1x, port access-control lists (ACLs), VPN, and host posture assessment.
For more security trends from the first half of 2014, download the Cisco 2014 Midyear Security Report.
In recent months, many organizations are becoming more interested in the information security landscape and how these threats can affect their business today.
In the recent Cisco 2014 Midyear Security Report, the results showed that 90% of select customer networks were found issuing DNS queries to domain names known to be associated with malware distribution. Results also showed an increase in Point of Sale (POS) exploits over the past year. These threats are growing and may put at risk many users using websites where personal or financial information is being submitted. These users need to know how this malware works, that malware is becoming more sophisticated, and that it is becoming increasingly difficult to identify that users’ machines have been compromised by malware. Read More »
Have threat-centric security questions and don’t know where to turn? Wish you could engage with Cisco Security experts and your peers? Good news! … (drumroll please)…. introducing the Cisco Security Community!
The Cisco Security Community is expressly designed to connect you with Cisco Security experts and your peers for all your security questions. Further, the Community is focused on helping you discover what’s new in threat-centric security alongside other leading security professionals. Plus, you can browse the latest videos, product information, on-demand webinars, and blog posts in a single location! There are subsections that allow you to subscribe to just the content you want to see – Cisco products and services, and security discipline focused “sub-communities” are just few of the options. Cisco Communities are set up to allow you to personalize your experience.
Take a moment to cruise around and get to know your new community better, bookmark the site, turn on those RSS feeds, and start engaging!
To get you warmed up:
- Take a look at the Cisco 2014 Midyear Security Report video: Compromised Encrypted Connections and give us your thoughts
- Or join in on the discussion about differences between dmvpn and flexvpn
We look forward to working with you to build a great community of members from experts to newer practitioners and high-quality content (with some community-only exclusives). Make sure to connect with me in the community and message any questions you may have!
Listening to the radio on the way to work recently, I heard that hackers had stolen some 1.2 billion usernames and passwords, affecting as many as 420,000 websites. When asked what listeners could do to protect themselves, the security expert speaking recommended changing passwords.
He did not mention which ones. Indeed, the names of the compromised sites have not even been publicly named for fear of making the problem worse, so there is no way of knowing how to prioritize which passwords to change. Adding to my irritation, I had just changed several passwords in the wake of the Heartbleed/OpenSSL compromise a few months ago. Perhaps like you, I have more than 100 passwords. Changing them all is not really an option. Read More »