November 27, 2014

Companies these days realise the need for Firewall and IPS so hackers more and more turn their attention elsewhere – the human. In all social engineering attacks we have performed this year alone, we have a staggering success rate of 98%. In other words, in 98% of the cases users entered their credentials into a portal which they believed was the portal they were trying to login to.

Almost every user happily associates to an Access Point which broadcasts their company name out and happily becomes a man-in-the-middle victim including SSL stripping. 8 out of 10 users plug any USB stick into their private laptops or company laptops if it’s labeled “confidential”. 9 out of 10 users open PDFs and Excels with malicious payloads if they think a friend or the boss sent them. If company security kicks in, still 4 out of 10 email the PDF to their private Yahoo or Gmail account.

If users are being asked, Java needs to run on the browser – do you accept? They click yes and thereby create a tunnel back to the attacker. Spoofed phone numbers, SMS and Emails are usually only the first step to complete data exposure. Almost all employees accept the CEO or Board member on Linkedin (Wow the CEO just added me). No one even thinks that the “CEO” could be a fake profile from a hacker. Building trust with employees, asking for confidential information and getting this information within 5 days is common place.

We have been conducting Security Audits for customers for years, but even our team gets surprised again and again on how easy it is to obtain information from employees and the best Firewall can’t do anything against it. Have a think about where you click, who you answer to! It may not always be the person you think!

We have created a Cyber Security Awareness Training for ordinary non-technical IT Users.