The Uncomfortable Truth about IT Crime against Enterprises

Your next IT breach will probably start when a “friend” convinces someone else to give away a password. This doesn’t require any IT skills!

The facts are probably known to you, but you might not have put the facts together as done here! The reality is that an IT-crime can start simply and by trusted people.

• Most attacks start with a social engineering attack
• Your “Friends” are doing it to you
• They only need a password (credential) to start

You might ask if this is true. Don’t take my word for it. Research from the most trusted security companies have found that:

1. Most attacks start with a social engineering attack

IBM report https://www.ibm.com/reports/data-breach

The sum of Phishing, Social Engineering and Stolen or Compromised Credentials amount to nearly 40% as initial attack vector! It includes spear phishing, vishing and smishing.

2. Your “Friends” are doing it to you

KPMG: https://assets.kpmg/content/dam/kpmg/xx/pdf/2022/01/fraud-survey.pdf

Organized criminal associations are involved in less than 30%, the remaining individuals you would consider belong to your “safe places”! Your employees and business partners, vendors and customers are involved in most of the fraud and misconduct (KPMG).

3. They only need a password (credential) to start

Verizon 2022 DBIR: stated 50% of data breaches can be attributed to leaked credentials (passwords).

Verizon: https://www.verizon.com/business/resources/reports/dbir/2022/summary-of-findings/

Verizon refers to credentials as the means to get to your IT-system. This primarily means passwords.

Many data breaches have occurred where large volumes of passwords have been exposed. This is however always from commercial web-systems. We haven’t seen any examples of a corporate Active Directory being stolen and misused, as the AD passwords are hashed and encrypted.

This is a fact because most companies have implemented Active Directory strong password policy. Hackers might still be able to guess or find a user’s password, but we can expect that most passwords for enterprise systems are stolen because someone has given it away to the hackers. This is called social engineering!

Ask yourself: How well is your company protected against employees and close partners who using social engineering want to steal a password from an IT-user?

How does it happen in reality:

The hackers have different ways to get a real users password:

• Ask a colleague for their password - it might be inside a partner company too: “I need a job done, and if I get access to your account, you don’t have to spend your time on it?”
• Call the IT-service desk and impersonate an employee, calling up from his office-phone: “Hi, this is Joe, I forgot my password – can you give me a new one?”
• Send a phishing email to users and ask them to use their password for some special reason, at a WEB-site you control.

When the hackers have the access they might steal your customer list, your product designs, your money through false invoices. Perhaps they sell it to a real hacker who installs ransomware. Beware that on average it takes 207 days before you discover that you are the victim of a data breach. This means that most data breaches are well hidden and in no way dramatic. Our guess is that a lot of data breaches are never identified!

IBM report https://www.ibm.com/reports/data-breach

On average it takes more than 200 days from the attack before it is identified. The fact is that for most IT-crimes the hackers don’t want the victims to know that they have been robbed!

Mitigation:

What security product will solve this? No single product will solve the total exposure! The most important decisions will be in these areas:

• General awareness training is important
• Two-factor authentication where possible
• Phishing “filters” as far as possible
• Forced Identity Verification workflow for central resources like the IT service desk

Do you have the right protection to defend yourself against the early steps?

What are the investments in products to protect against social engineering? We don’t know as it is such a small amount that it is not even counted. This is from Agile Intel Research:

It doesn’t have its own category despite being amongst the most important threats!! This indicates that too little attention has been offered to one of the most critical vulnerabilities: Social Engineering!

Products are emerging now to protect against social engineering and should be considered to complement awareness training. FastPassCorp has a forced workflow for user identity confirmation for central resources, where employees/partners call to get different types of assets, as a password from the central IT help desk Identity Verification Manager.