Conducting reconnaissance is an essential part of all hacking operations. Figuring out what kinds of IT and information security systems an organization uses helps adversaries anticipate how their target will respond to an attack.
But attackers are interested in gathering much more than technical specs. They essential want any information that helps them form a complete picture about their target. This includes the vendors the company conducts business with, appointments in employee calendars, office locations, salaries, even employee work histories. Individually, this information may not reveal much, but pieced together, it gives a full look at a company’s daily operations. Obtaining some of these details doesn’t require infiltrating a company. Social media profiles contain information that could prove very valuable to hackers.
If adversaries know that several members of their target’s information security team are attending a conference out of town, for example, they may decide to execute the attack then. Fewer people working increases the likelihood that the operation will go undetected. Or if the attackers know that the target's information security team is mainly comprised of people with IT backgrounds, they may design an attack that appears easy to eradicate since security workers with IT roots tend to equate fast remediation with better security. Read our blog post from last Friday to learn why that mentality doesn’t help keep companies safe.
This personal information could also be used to develop an attack vector. Consider the highly customized spear-phishing email that hackers could create if they know that an employee is anticipating an important Word document from a colleague to complete a project that’s due by the end of the week.
The email could be be sent a few days before the deadline while the subject line could reference the project. In the email body, the hacker masquerading as an employee could explain that he sent the email from his personal Gmail account since he couldn’t access his work email account for some strange reason. And to make the story seem even more legitimate, the hacker created a Gmail email address that incorporates the colleague’s first and last names. With this level of detail, an employee could easily think the phishing email is authentic and open the attached malicious Word document. Skilled hackers intent on breaching an organization can easily find this information.
LinkedIn, Twitter, Facebook and other social media platforms are intertwined with our daily lives, but this doesn’t mean people have to share all personal details, especially people who work information security. Companies should consider holding social media training classes to help employees understand how much they should share on social media.
Consider changing your company’s work patterns to make them less predictable. If a vendor contract is up for renewal and you’re considering switching service providers, perhaps security concerns will motivate your company to make the change.
Finally, emphasizing the importance of not opening emails and clicking on attachments from unknown or suspect senders is always worth repeating to employees. Given the specific and personal details phishing emails now contain, even the most security savvy workers could fall for these schemes.