This year has seen more spectacular hacks, including the email hacks of CIA Director John Brennan as well as the voice mail hack of Department of Homeland Security Secretary Jeh Johnson. When high-profile individuals involved in national security become victims themselves, it makes everyone wonder, “Is anyone safe?” For organizations trying to protect their corporate assets and the sensitive information of their employees and customers, the answer is, “Yes, and No.”
According to published reports, the Brennan hackers persuaded a Verizon employee to relinquish Brennan’s sensitive information after posing as tech support workers whose tools were down. The hacker and his associates used that information to reset Brennan’s password. The hackers targeted Verizon because a reverse look-up of Brennan’s phone number indicated it was a Verizon account. A similar ruse was used in the Johnson hack, in which someone called Comcast, pretended to be Johnson, and gained access to his account.
Both hacks were spectacular examples of what experts call “social engineering,” in which hackers persuade human beings to perform tasks that break normal security procedures. Social engineering is one of the greatest security threats that organizations face, but it is also one of the most preventable.
These hacks (and other social engineering tactics such as phishing) offer important lessons for organizations that want to protect their own assets—and avoid inadvertently compromising another individual or company.
- Keep as much information as possible private. The hacker did not reveal how he obtained Brennan’s cell phone number, but one media outlet speculates the hackers obtained it when it was leaked to the Internet in a 2013 hack. It doesn’t take a hack for most companies or their employees to expose themselves, since many publish sensitive details such as cell phone numbers on websites, social media sites and other locations. This behavior is dangerous, especially with free reverse look-up and other information tools providing a wealth of online information.
- Establish strict policies by which sensitive customer, company or employee information may be divulged, shared or stored outside the organization and enact harsh penalties for failing to uphold them. Use technology to protect information and restrict access to only those individuals authorized to retrieve it.
- Conduct ongoing training with personnel regarding the dangers of social engineering, the current tactics being used, and the policies you have enacted to prevent a breach.
Social engineering attacks will never go away, largely because it is impossible to reengineer human gullibility. However, every company holds within its own walls the tools to ensure it does not become a victim.