The Hacker’s Most Powerful Secret Weapon

By David Stelzl

Unlike the average criminal, hackers are building, and have access to some of the most sophisticated tools in the world. But what is their most powerful tool and how are you helping them improve it almost every day?

When security experts embark on an assessment, the goal is to uncover vulnerabilities. They scan your network ports, look for unpatched computers, and may analyze traffic (although in many cases they miss this critical step.) But none of these things will stop, or even slow the hacker’s best tools.

Regardless of how much money your company spends assessing, locking down perimeters, and hardening servers, your company stands wide open if you misunderstand the power of social engineering.  Yet, social engineering is one of the oldest, most powerful tools in the hands of the hacker.

How hard would it be for me to convince your office workers to give me access to their computers? Not hard. In general, people trust each other. All I need is a small amount of information to make me sound credible. I’m your IT support guy, the new manager in Tampa, or a representative from Microsoft, wanting to help you upgrade your system.

So how are you helping these hackers every day?  It’s called social media. Years ago, if you recall the early days of Internet computing, we were hesitant to put a blog post online. Putting a picture of the kids was a no-no.  Today, placing a compromising picture of oneself is common practice. Whether it be funny, foolish, or sexy, people will put almost anything online. And social media companies want more.

Facebook, for instance, has a valuation worth about 75 Billion Dollars. Yet they don’t really own anything – except data.  Data aggregators are building the profiles hackers need to be you, or someone you know. And the more social media platforms such as Facebook, LinkedIn, Twitter, and Instagram discover the value of data, the more they will encourage us to share freely. This is the hidden agenda of all social media platforms. And it’s making them millions at our expense.

From there data aggregators can know or predict almost anything about you. Your personality, political beliefs, sexual orientation, secret buying habits, personal medical issues, and more. And once the hacker has access to this data, which they do, they have an incredible reservoir of power.

With data in hand, convincing your office workers that they are someone they are not, or simply committing fraud using your company data (such as Corporate Account Takeover Attacks) is nearly impossible to stop. No firewall in the world can defend against such attacks.

So what should a company be doing to secure their corporate secrets and intellectual property? The end-user is the new firewall. Every user must understand that the data they create every day, is an asset. They must know what creates these assets, who wants them, how they’ll get them, and how to spot a possible breach attempt. They must also know what to do about it, and be willing to take those predefined steps.

While security technology is essential, securing data has a lot more to do with the people who create and use data to make your company successful. Educating them on security, in a way that allows them to become an extension or your security team, is the first step to keeping your company secrets, secret.

 

To find out more about this topic directly from the author David Stelzl, join the two leading international banking associations in the Western Hemisphere – FIBA and FELABAN, at their upcoming CELAES Financial Security Conference in Miami, October 3-4, 2016.

(To register:      www.felabancelaes.com).   Questions on registration: (+ 1 305 539 3745 or cpretelt@fiba.net)

blog_banner-01