In November 2017, Google (News - Alert) announced the results of a year-long email and social media hijacking study that began in March of 2016. In the report, Google announced that nearly 3.3 billion third-party breaches occurred during that period of time.
To better understand this threat, and the other security concerns that individuals and corporations are confronting today, I sat down with Ray Johansen, Solutions Architect and Security Practice Lead for ShoreGroup (News - Alert).
Almost 30% of internet users report being a victim of a hijacking attack. So, what exactly is Google talking about when they refer to “hijacking”?
Hijacking refers to a situation where a person, other than the legitimate Google account user, ends up with the credentials for an account. This personal info can be compromised in a number of different ways.
Is this something that just affects individual users, or are businesses affected as well?
Google's study was really only focusing on individual users, but attacks targeted at enterprises are happening in an eerily similar way — the same methodology is being used.
So, how does hijacking differ from Business Email Compromise (BEC)?
We’re starting to hear more about BEC these days, and it should be looked at as a growing form of fraud. By using social engineering and preying upon people’s fears, attackers manipulate people into taking an action they shouldn’t take like wiring money to a fraudulent account. With BEC, the bad guys do things like use look-alike domains to impersonate the CFO and direct accounts payable to wire money to a fraudulent account. Contrary to hijacking, BEC does not necessarily require the attainment and misuse of credentials.
Are there other ways that individuals and business are vulnerable to attack?
Absolutely! With hijacking, an attacker wants to get the user credentials for an account. Phishing is different; the attacker may send an email to their target saying: "Hey, I am First Trust Bank, and I noticed some strange activity on your account. Do you mind logging in to your account and making sure that those charges are legitimate?" So you log in through something that might look a lot like the First Trust Bank portal, but actually it’s a domain controlled by the attacker — and now they have your username and password. That spells big trouble for the victim, particularly if they use the same credentials for work, social media or other accounts. Keylogging, another form of attack, refers to getting a piece of software onto a device that can record what you type, essentially capturing the same type of information.
In Google’s article, they refer to a “defense-in-depth” approach to security. What does that mean?
“Defense-in-depth” refers to developing a system of overlapping controls — where multiple controls would have to fail before something breaks. Credit card companies have been doing this for years. When you swipe your card at the gas station, it validates that the card is good, but also checks that you are a legitimate user by prompting you to enter the zip code for the card’s billing address.
Human interaction accounts for the greatest number of security breaches, and is often the reason why enterprises fall victim. Think about how often employees share passwords and key cards. Defense-in-depth tries to mitigate the impact of those bad human habits.
Generally speaking, are businesses using good security practices these days?
I'm going to say that by and large, they're not. But I'm also going to say that the capabilities are out there. The most common measure that businesses are taking is some level of two-factor identification. For example, you often see people walking around with RSA (News - Alert) SecurID tokens on their keychains. Really though, it comes down to user education, and being able to make employees understand the impact of clicking on a fraudulent link. Instilling personal accountability is critical. Businesses look to automated tools to instill this, but without people understanding it, they're always going to be at risk.
How can businesses supplement their systems with more protection, beyond multi-factor authentication and personnel training?
One of the things that is being looked at right now is the idea of automation in analytics. Which means programmatically analyzing the behavior of individual employees and assessing whether that behavior is consistent with their job function, working hours, status within the company, the typical device they connect they use to connect to the network, etcetera. If we can identify really unusual or atypical behavior against the norm, we can flag the situation and look closer to make sure everything is on the level.
About the Author: Joseph Cassano is a writer and content developer that focuses on technology integral to businesses. He works with companies around the globe, helping them to develop marketing messages and establish thought leadership.
Ray Johansen is Solutions Architect and Security Practice Lead at ShoreGroup. ShoreGroup has been the trusted managed and professional services team for hundreds of customers since 1999 - offering full IT lifecycle services to help businesses grow and overcome challenges.