It's Monday morning and Ajay is at his desk going through his emails. One of the emails is from Visa. It says, "There was a problem with the transaction that happened on Sunday on your Visa Credit Card. Please check the details in the attachment". He did recollect a transaction he made at the mall the previous evening. Worried and curious about what could have gone wrong, he opens the attachment. He could not understand or make any sense of the junk data that appeared on his screen. He thought for a moment that somebody's played a prank or there is some system error, shrugged his shoulders, deleted the email and moved on for the day's work forgetting completely about it.
A week later on the following Monday when he reached his office he sensed a lot tension on his floor where half of the IT team and some senior executives were moving around swiftly with faces as if they had witnessed an apocalypse.
"What happened?" he asked his colleague. "We got hacked", came the reply from someone who worked in the back office team and was not exactly sure of the details. A little more digging and he came to know from one of his IT Helpdesk friends that "the bank got hacked". Obviously he had no idea how one of the best banks in Asia with millions of dollars spent on IT Security could get hacked. So, how did the presumably secure bank get hacked? Here's how: By Social Engineering. But first let's look at the technical details. The attachment that Ajay got contained a malicious code. The code travelled through the network exploiting unpatched Java installations on the desktops and servers. While doing so it managed to evade detection by the specific anti-virus, intrusion detection system and other security technologies deployed by the organization.
What makes a hacker a successful one is not the ability to script a brilliant piece of malicious code but the ability to successfully carry out the hack!! So apart from the intelligent program there is something called social engineering required to hit the target. Visa is a popular credit card company, people shop on weekends and people in general are little concerned about their credit card bills. The hacker used all the three things to get the victim to open (double-click) the attachment. And the rest happened as per the malicious intentions.
The story does not end here. There was more social engineering attack done by the attacker. After they got the details they mailed the sensitive data to the Business Heads and not the CIO or CISO. That was the worst part. They hit it where it hurts more! Business Heads ran to the CEO. CEO called in CIO. CIO was not aware about the attack until Business informed which made the matters worse for him. Now the CIO is guilty of not only the attack but also not having any clue about the damage done. Business, apparently scared, corners CIO and has his way and blames him for not providing a secure platform for business. In a single hack the attacker scared the business, gave nightmares to IT and shook the reputation of the financial institution that was painstakingly built over a few decades. Had the attacker had informed the CIO, the matter would have been under wraps, done the damage control and life would have been normal again after a few added controls to tighten the security. And the internal blame game would reflect at the annual bonus!!
Lesson to be learned: Social Engineering is evil and User Education, Training and Awareness are the definite tools of trades to fight it.
Salvadore Vaz
Article Source: https://EzineArticles.com/expert/Salvadore_Vaz/1647331
Article Source: http://EzineArticles.com/8304104
0 Comments
If you have any doubts, Please let me know