In light of Mat Honan’s harrowing story, where both Apple and Amazon fell victim to social engineering attacks attributable to profound weaknesses in their identity verification processes, the billion dollar question becomes: how vulnerable are your company’s internal processes to social engineering?
Have you ever called the IT help desk for a password reset? What do they ask you in order to verify your identity? Your name and department? Your boss’s name? A badge number?
Hopefully Mat’s story will prompt security teams at companies of all sizes to take social engineering very seriously.
What can we do?
One highly effective tactic to help guard against social engineering is to carry out benign social engineering and phishing attacks on staff members. Just as we learn from being burned on a hot stove, hacking staff members in a simulation may help educate them on what to look for.
Unfortunately, because we are humans, some people will be fooled at least some of the time, so we need to make sure that we minimize the risks when that happens. That’s where the principle of least privilege helps.
One example of where organizations may be vulnerable to both social engineering and an inability to ensure least privilege is in its authorization processes. IT is often in the position of granting access to data without having the required knowledge of who really should have access.
Call your help desk and tell them you’re the new Associate Head of HR and need access to payroll data and the payroll processing application. You might just get it. And when would that inappropriate access be reviewed, caught, and revoked?
This is precisely why Varonis is emphatic about data ownership and authorization processes. If all access requests for HR data are routed to someone in HR, the likelihood of someone mistakenly doling out excessive or flat-out wrong permissions is dramatically reduced. If HR staff regularly reviews access (even better with the assistance of automated recommendations), the likelihood of inappropriate access drops even further.
These are just some of the precautions we can take in along the path to least privilege, and better security.
As Mat stated in his follow-up post:
“As more information about us lives online in ever more locations, we have to make sure that those we entrust it with have taken the necessary steps to keep us safe. That’s not happening now. And until it does, what happened to me could happen to you.”
This also holds true for our business data both in the cloud and behind the firewall.
Photo credit: Tony Fischer