How Social Engineering Attacks breach GDPR
The consequences of GDPR data breaches can be very hefty for all organizations. The penalties might be hefty, but more important are the financial loses and the damages made against the individuals hit by the data breach. Social Engineering is one of the attack vectors used by criminals to get access to critical GDPR related applications and data. According to Verizon social engineering now is involved in 35% of all data breaches up from 17% in just 5 years.
Social Engineering in a data breach scenario is always a case where the criminal impersonates another real person. It can be in writing (as in emails) or in person, and then practically always through the phone. Impersonating someone in the flesh is extremely demanding!!
Social Engineering Attacks are primarily about obtaining credentials. The wanted credential will be a password as it can be communicated over the phone or be delivered in writing.
GDPR is about the protection of the individual’s personal information and protecting the individuals against Identity theft.
A key GDPR element is the credentials protecting an IT-user’s identity. If the password is given away, the perpetrator has access to indefinite information about the user. The perpetrator can act as the individual when the user-identity is stolen!
The perpetrator can even be an internal colleague, with deep knowledge about what systems to use.
Mass access to personal information:
Every organization who has personal data about persons must prevent unauthorized access. Some employees (users) must have access to do their job – they are authorized. Any access for an unauthorized person is a GDPR breach. If just ONE colleague or outsider gets the credentials of an authorized user, it will result in a GDPR breach. This ties it together with the first threat: When we have an identity theft, we can expect it to be used for other crimes like access to unauthorized information about persons!!
The bad news (or good news -depending on your view) are that it might go unnoticed! In the IT-system it is the authorized identity which makes the access and transactions. The IT-system can’t see that it is an unauthorized person making the transaction. It is however still a data breach and according to GDPR you must report it fast, or the GDPR breach grows in seriousness.
Social Engineering Attack
For both GDPR threats a social engineering attack has two possible variations:
- E-mail based attack
- A phone-based attack
The e-mail-based attack we call Phishing. Generally, phishing attacks target a large part of an organization in the hope that one or two will act on it. The criminals don’t know if they get the authorized access they need, as it is a random attempt.
The phone-based attack we call Vishing (Voice based). Here the criminals can target a specific user with specific rights in the IT system. If it is a valuable user-id, then the person is probably hard to get a password from. The easy way is then indirectly calling the IT service desk. Pretending to be the real person using some simple social engineering tricks will in many cases produce the needed password.
National It-security organizations demand/propose strict processes to prevent those credentials are handed out to the wrong persons. In USA it is NIST - in UK it is the Government’s Office – in Denmark it is the NSIS organization.
They all suggest a risk-based model, where the verification of persons depend on their security profile. The more important the person - the more detailed the verification process must be. Furthermore, it also requires that the process is monitored to secure compliance.
How can we:
- Have different verification tests for different persons?
- Prevent that privileged users -who hand out credentials- are influenced by social engineering?
- Produce compliance reports of all hands out of credentials?
The answer is of course: An intelligent IT workflow for identity verification for employees (users)!
Based on many years of experience with identity verification in self-service of passwords FastPassCorp has now released a generic solution for identity verification to be used by privileged users. This might be in the service desk handing out passwords. The solution is certified by ServiceNow: