25 days of security

It’s now been seven days of paranoia and today’s topic is about social engineering.  Or as the FBI puts it in their video designed to help train political campaign workers to not be tricked… “targeted lies designed to get you to let your guard down”.  Social engineering is now one of the key ways that attackers use to get into our systems, however, it is not new.  Back in 1995, Kevin Mitnick was arrested for breaking into computer systems, often without cracking passwords, merely tricking the person on the other end of the phone call with key information to get them to trust him to turn over more information.  He now is the “Chief Hacking Officer” of Knowbe4 a security awareness company.  What worked then, still works now, except what often worked then had to do with a human, Kevin, calling the victim over the phone and gathering information to trick the person on the phone to turn over key information.

Now we use phishing and spear-phishing (targeted attacks) via email to get to the same target.  As is noted in the video by the FBI, be careful what you share online and on social media.  Often you “leak” key personal information in social media posts.  Often password reset questions can be googled.  How many times have we seen reports of key individuals whose email accounts got hacked by being able to google up key questions in the person’s biography like where they went to school and so on.

90% of breaches start with social engineering/phishing attacks.  Read that stat again…. 90%.  Ransomware containing emails have increased 6000% between 2016 and 2017.

Bottom line they are out to get you so watch your email carefully.  For all the automatic tools and filters I have on my email, often the only thing between me and an attacker is a bit of skepticism and paranoia and not immediately opening up emails.  Don’t open attachments you weren’t expecting.  Run files through www.virustotal.com just to be safe.  Empower yourself it not immediately take action on email.  Be more suspicious of what comes into your email.  The vast majority of email in your inbox is there to attack you.