Recently, the API communication provider Twilio and the well-known network technology giant Cisco (CISCO) have suffered social engineering attacks and data leakage by hackers. Patched “holes”.
People are still the biggest vulnerability
In an attack against Twilio in early August, hackers carried out a text message phishing scam, impersonating Twilio’s IT department and warning employees that their passwords had expired or needed to be changed.
Employees who clicked the link were taken to a phishing site that appeared to be a Twilio login page, where hackers obtained login credentials for Twilio employees, which they later used to access the company’s internal systems and view data on 125 customers.
In the data breach disclosed by Cisco on Thursday (which occurred on May 24, 2022), the “Yan Luowang” ransomware group claimed to have stolen 2.8GB of Cisco data. In this attack, the attacker first took control of an employee’s personal Google account (the user synced the account’s login credentials to the browser).
The attacker then posed as various trusted organizations to conduct a series of voice phishing and MFA fatigue attacks on the employee — sending MFA verification notifications in large numbers until the employee (either by mistake or carelessly) confirmed one of the verification requests, thereby Enables attackers to access VPNs and critical internal systems.
Both the Twilo and Cisco data breaches show that companies cannot rely solely on their employees to identify increasingly sophisticated social engineering scams, even if those employees are IT technologists themselves, and even if the target companies themselves are cybersecurity tech giants (like Cisco).
“These two attacks demonstrate that social engineering remains one of the most effective ways to gain access to an organization, and that any organization can be targeted,” said Allie Mellen, senior analyst for security and risk at Forrester.
“Ultimately, humans are always the target of attacks. If a user receives an email or text message from a seemingly credible source with urgent information, the user is likely to click the link in addition to a security review,” Mellen said.
Password-based security is very weak
One of the main reasons attackers tend to use social engineering attacks such as phishing scams is that these tools are easy to use and effective at harvesting login credentials.
Research shows that 19% of cybersecurity incidents are caused by stolen or compromised credentials, and 16% are caused by phishing, suggesting that password-based security is largely ineffective at deterring threat actors.
Likewise, no antivirus or “advanced tools” can prevent employees from making mistakes and leaking sensitive information.
In addition to the need for targeted reinforcement of “human factors” solutions such as security awareness training, there is an increasing need for businesses to rethink data access control. Virtual machine backup solution is a good choice to do the data protection. Common virtual machine backup including RHV backup, VMware backup, and so on.
Because statistics show that companies encounter an average of 700 social engineering attempts per year, even employees who strictly adhere to security best practices cannot avoid making mistakes. After all, attackers only need to mislead employees once to successfully obtain their login credentials.
At the same time, while passwordless authentication solutions like those developed by the FIDO Alliance will help eliminate reliance on credentials, businesses should not rely solely on these measures and MFA to secure their IT environments. (Editor: In Cisco’s case, employees who lacked security awareness and vigilance were socially engineered by attackers to bypass the MFA mechanism.)
Rethink data access control
Introducing strict data access controls, enforcing the principle of least privilege is key to reducing the level of risk posed by social engineering threats. If employees only have access to the essential information they need to perform their day-to-day duties, less data is put at risk, and it means that employees are no longer an obvious target in hacking attacks.
Gil Dabah, co-founder and CEO of Piiano, a data privacy infrastructure provider, noted: “Phishing attacks are on the rise. Proper access controls can minimize the amount of stolen data leaked when credentials are compromised.”
“The average person in an enterprise really has no real use case to browse through large volumes of raw customer data: so advanced data access controls can limit data exposure,” Dabah said.
In terms of practical advice, Dabah said businesses should mask personal information as much as possible, implement rate limits on database access, and use anomaly detection techniques to monitor user access for signs of malicious behavior.
Focusing on data access control can not only be very effective in reducing the amount of information an attacker can steal, but it can also take some of the stress off your employees.