The most thorough firewalls are useless against oblivious users, who are duped into inviting malware and spyware onto secure networks. Users are, more often than not, the biggest weakness in your network’s security, and hackers are increasingly using social engineering to gain access to secure data.
Social engineering, much like classic hacking, takes note of unintentional patterns and finds openings in otherwise secure environments. Human-hacking takes advantage of our unconscious decision making patterns to gain access to secure networks.
Hackers take advantage of our assumptions about what kinds of devices and hard media are “safe.” Even air-gapped networks are vulnerable to these trojan horses. For example, hackers will leave USBs with reconnaissance software on a reception desk or in the parking lot of a business, trusting that some good samaritan will plug it into a secure computer, to see if they can identify the owner. Meanwhile, the device is taking note of the network map and transmitting that information as soon as it is plugged into a networked computer. And of course, any company with a bring-your own-device policy is highly vulnerable. Even when personal devices for work use are prohibited, in air-gapped offices, employees itching for that email or Facebook fix often turn their cell phone into a hotspot to connect work devices, however briefly, to the internet.
Malware can also be hidden within files that appear to be legitimate communication. One famous hack involved a hacker posing as a conference photographer, taking pictures of attendees during social functions, and then sending out the photos with malicious code embedded in the images.
Some USBs are programmed to appear to the computer as another kind of external device, such as a keyboard, so they can enter malicious commands. CDs and DVDs of all kinds can also hide malware and spyware. Sophisticated hackers have even intercepted shipments of software CDs, hard disk drives and other devices, installed malware, rewrapped it–reproducing shrink wrapping, packaging, etc.– and sent it along to be installed by unsuspecting IT pros. This malware infects the firmware of hard disk drives prior to the OS load, creating a secret storage vault that survives military-grade disk wiping, formatting, and encryption. Vendors that were impacted by this type of hack include Maxtor, Samsung, IBM, Toshiba, and others.
Another example of infiltration disguised as innocuous activity are viruses that impersonate a device’s network interface card so that when the user searches for password protected sites, it can redirect to a dummy site that records the password.
Prevention: User Policies
Given the variety of ways hackers exploit users, what can IT professionals do to keep a network secure? First, a strong, highly-enforceable acceptable-use policy is a must. Include policies that govern email, websites, and social media usage. Consider disallowing external devices. Tie compliance with this policy to promotion, advancement, or pay raises. Some highly secure organizations terminate employees for breaching these policies.
To discourage employees from visiting dangerous sites, you can send out an email every week with a recording of their web usage. They’re likely to be more careful when they know they’re being watched.
Prevention: Admin Policies
On the admin side, IT departments should insist on user-access control and never make average users admins. Limiting their access also limits the chaos unleashed by their lapses in judgement.
Finally, all network equipment that comes into the office, from hard disk drives to network interface cards, must got through the IT department. IT pros should look carefully to make sure tamper-proof packaging is intact, to help prevent compromised devices from accessing your data.
Byline: Leslie Rutberg is a tech and IT industry blogger for CBT Nuggets. This article was based on their recent webinar “10 Tips for Locking Down End-User Security.”