The shift to remote working has blurred the lines between people’s business and personal lives. With more organizations adopting BYOD (bring your own device) policies, the challenge now is how to protect employees best as they access corporate resources while guaranteeing the privacy of their personal activities. This is the conundrum that Patrick Harr, CEO of SlashNext, and Atif Mushtaq, Founder and CPO of SlashNext, recently discussed in Episode 5 of the Phish Stories webinar series.
According to Harr, if a business can do both, the focus must be on more effectively protecting users from internet hacking and phishing.
“The threat of human hacking has become one of the most significant problems in security today,” he said.
Mushtaq believes that it is especially in the past five years where human hacking has been experiencing an exponential rise.
“Exploits and malware used to be the bad guys’ favorite tools. From 2005 to 2015, they could plant these payloads and exploit compromises without requiring any user interaction. However, as vendors have become better at patching software, there has been a sudden decline in these vulnerabilities. This has resulted in the threat actors looking at more innovative ways of compromising systems, and social engineering started gaining momentum,” said Mushtaq.
Indeed, the playing field has become a fertile one. While phishing mainly focused on email, that has been supplanted by social media and other forms of digital communications. Simply put, malicious users have more options available to them to target people. The attack vectors and payloads used have become significantly more sophisticated.
“Whether it is business email compromise (BEC), credential stealing, fraud, or spear phishing, these attacks have increased significantly in recent years. The old way of protecting against phishing is no longer applicable. Organizations must look towards a new approach to deal with this threat landscape, especially as the bad guys are using sophisticated, freely available cloud services and legitimate infrastructure to host their phishing attacks on,” said Mushtaq.
He cites how Google GDrive, Microsoft 365, Dropbox have become popular environments to launch phishing attacks.
Harr feels that one of the reasons these methods have become so successful is that it relies on human error to propagate.
“Research has shown that 96% of successful breaches start with human hacking. Just look at the recent Colonial Pipeline cyberattack where ransomware was used to impact the pipeline’s computerized equipment. And even though the company paid the requested ransom within hours after the attack, the application the hackers sent to restore the network operated slowly, causing significant issues in fuel supply,” said Harr.
Therefore, it is no wonder that phishing is the number one method of installing malware to steal administrative credentials. A phishing email would typically target an average user. Once compromised, the hacker would then use that account to attack the network administrator. This is a more effective way of compromising admin rights as they deal with a known entity – the compromised employee email. And when the hacker has access to administrative privileges, they can access multiple systems, gain control of Active Directory, and have virtually limitless opportunities to plant malware and ransomware.
According to Mushtaq, LinkedIn has become a popular vehicle for an attack.
“The convergence of people’s work and personal lives help make LinkedIn an effective infection vector. Attackers can create fake profiles, monitor people’s posts, and then send them compromised messages. We are seeing a lot of nation-state actors such as North Koreans using LinkedIn to propagate attacks. Even though corporate email might be protected, LinkedIn, Facebook, Twitter, and other social networks are not,” said Mushtaq.
Credential stealing used to be the first thing people would get exposed to following a phishing attempt. While it still happens. The threat landscape has expanded to include ransomware, downloading malicious Flash players, and installing rogue browser extensions spread through targeted advertisements. Smishing (both SMS and WhatsApp) has also become pervasive.
“With 67% of enterprises offering BYOD policies and 87% of them depending on their employees’ ability to access business applications from their smartphones, BYOD will only grow in popularity. The critical thing for an organization to do now is to secure this environment while still maintaining the most fundamental thing to its employees – personal privacy,” said Harr.
Reason for Compromise
Today, attacks come from email (both corporate and personal), mobile, Web, and social networks. And while corporate email defenses are implemented, the rest of these environments do not have protection against advanced phishing attacks.
“However, even the most sophisticated cybersecurity solution for corporate email still has a miss rate of up to 12%. No technology is completely secure. And when you add up the high chance of success in the other environments, then phishing is something that has become easy to accomplish,” said Mushtaq.
Harr agrees and admits that when one factor in the number of applications employees use on their personal devices, it is hardly surprising that breaches occur as frequently as they do.
“People are using the likes of Twitter, Instagram, LinkedIn, and others on their devices. At the same time, they use those devices to access corporate emails and other services. Threat actors can then leverage these compromised endpoints as backdoors into the corporate network,” said Harr.
A Perfect Balance
Fortunately, Mushtaq believes there is a way to secure BYOD while still maintaining the privacy of employees.
“Organizations can have both. To do this requires endpoint protection to drive privacy and security while continuing with the BYOD approach. Effectively, the business has full visibility into the threat landscape without compromising its employees’ privacy. This is critical as an enterprise cannot detect and block what it cannot see,” said Mushtaq.
By focusing on the endpoint, a company can have the best detection and protection on the physical device of the employee while performing all analysis of attacks on the device. By not having data leave the device, the company cannot see, for example, the browsing behavior of the user.
“Policy control has absolutely zero impact on phishing protection. Yes, this might ensure that employees stop installing third-party applications, but it cannot stop them from communicating. And this is where phishing is the strongest – hidden in legitimate communication which cannot be blocked,” added Mushtaq.
Therefore, the best way to address the human hacking concern is to manage protection on the endpoint.
“The only way to guarantee privacy while delivering the level of protection needed is to do so on the device itself. If this is to work, companies must focus on the infection and never transmit data back to the corporate environment. This means no ‘day of life’ user behavior will ever be seen by the organization,” Harr added.
To hear more about Patrick and Atif, watch the complete Phish Stories Webinar HERE.