How do cyber criminals gather information to put themselves in a position to attack IT systems? How does a hacker succeed in sending fake emails to as many employees of a company as possible? They often succeed by targeting the weakest link in the chain of a security concept: people. That's why it's incredibly important for employees to know their place in effective measures against information security incidents. And they must look at the risks and opportunities of information security from a different, more conscious perspective. The keyword: security awareness. A guest article by Arwid Zang, Managing Director of greenhats.com
- Websites are like open books
- Simple is most dangerous
- Email addresses: The "capital" of phishing
- Security Awareness: The Trojan horse comes along officially
- Information Security Incidents: A real-life example
- Information security: Employees as a success factor
- The be-all and end-all: Sensitize employees to attacks
- ISO 27001: Awareness as part of the catalog of measures
- An information security incident usually means chaos
- The backdoor into your system
- Lack of awareness: perfect for a targeted attack
- Minimize the probability of occurrence
Websites are like open books
IT security and information security are known to be two quite different pairs of shoes, but the lines can still get blurred. Clearly, IT security incidents regularly lead to information security incidents. Sure, if I'm a hacker compromising a corporate network, I'd have to be sitting in front of the screen with my eyes shut convulsively to avoid picking up one piece of information or another that wasn't meant for me.
However, it is also possible that cyber criminals initially collect information that, in the long term, enables them to attack the IT systems of their chosen victim in the first place.
At the security checks platform greenhats.com, our day-to-day job is to hack companies, identify vulnerabilities, and fix them before criminals find them.
True to the motto "Let's just talk about it", in this article I would like to explain to you in detail a method of attack that affects everyone. And together with you, I would like to address the question: Why am I actually telling you all this?
Information Security Incidents: Simple is most dangerous
We're talking, of course, about the so-called "phishing attack" - don't worry, I'll try to spare you any more foreign words and IT vocabulary. I don't even need them, because phishing is not a technical attack, but an attack on the weakest link in the chain of (almost) every security concept. An attack on people.
Let's assume I want to attack you. Then I don't just sit down haphazardly at my notebook and start typing away on black consoles. No, first I need... exactly! Information and personal data. This includes:
- Email addresses of your company
- Names of your IT staff
- Email signatures
- Information about your corporate identity
- A topic that is interesting for your employees
In principle, phishing is not a technical attack, but an attack on the weakest link in the chain of (almost) every security concept.
An attack on people.
Assuming I don't know anything except the name of your company, I naturally first go to the website, read and learn everything there is to learn. Above all, I am interested in e-mail addresses and contact persons of your IT. Because in the following attack, I want to send a fake email to as many employees as possible (whose addresses I need) while avoiding as much as possible sending it to the IT as well.
Email addresses: The "capital" of a phishing attack.
Once I find a few email addresses, I derive the pattern. For example, "firstname.lastname@example.org" So I try to discoer the logic of how the employee's email address can be deduced from their name.
Then I'm off to the Internet again - this time to the social networks. I'm not talking about the "evil" players like Facebook & Co. XING and LinkedIn are much more interesting.
There I search for your company and look at which people state that they work for this company. This way I get a list of names from which we can derive addresses using the identified pattern. At the same time, I can already tell from the profiles in the social networks which of your colleagues could potentially recognize my upcoming attack based on their professional experience and IT interests.
These colleagues will not receive any fake mail from me.
Security Awareness: The Trojan horse comes along officially
Now that I know my attack target, I want to impersonate myself as an employee of your company. To do this, I first make contact with you. Through official channels, for example as a potential customer. I write you an e-mail and ask for a quote. You reply - ideally with a product portfolio or similar.
Your reply provides me with valuable information:
- What does your e-mail signature look like?
- What fonts do you use?
- Where do you place your logo in documents?
- How do you highlight headings?
- What colors do you use?
- And, and, and...
So far, it's not rocket science. But watch out - here comes the trick. Let's assume that your company is called "SampleCompany" and can be found on the Internet at "samplecompany.com". Then I now look for an address on the Internet, which looks very similar to your address. For example "samplecompany.eu". I buy this address (it really only costs a few euros) and can now build my attack on it.
ISO 27001 in pracice - Annex A
The DQS Audit Guide (based on ISO 27001:2013)
Audit questions and possible evidence for selected measures.
More than a checklist!
From experts in the field.
Because from "email@example.com" I can send e-mails with your signature that look as if they came directly from you. I don't care what names or synonyms I use as the sender, because technically it makes no difference.
Information security incidents: A real-life example
Your business manager is not your business manager
This can be really dangerous if I pretend to be the admin of your IT, for example. I write an e-mail to you and all your colleagues, in which I draw your attention, for example, to a new video portal for remote meetings, where all employees should please authenticate once to check whether the existing contacts have been transferred.
Or when I write to you as an assistant to your managing director and explain that the Christmas party has been cancelled due to the pandemic, but instead five brand new iPhones are being raffled off by the management. To ensure that everyone ends up in the lottery pot only once, please ask each employee to authenticate once at the attached portal - the winners will then be announced at the end of December.
Fake login area: Child's play in times of digitalization
No matter which method I choose - I have to send you a link that leads to said "portal". This could then be "raffle.samplecompany.eu" or "portal.samplecompany.eu".
Also at this point I can give free rein to my creativity. Since I own the corresponding page, I just have to build something there that looks trustworthy to you and your colleagues. In the case of the contest, for example, a nice login area in the design of your company, with your logo and maybe a little Santa Claus. Or some shooting stars.
Passwords end up with the attacker - in plain text
Of course, security is a top priority on my portal! Everything is excellently encrypted and it is made impossible for third parties to read your input. After all, you are entering usernames and passwords, which is sensitive information. From a technical point of view, all this is absolutely serious. Your data is transferred securely and ends up in the best hands - mine.
By the way, the complexity of your password is completely irrelevant in such an attack; it ends up in plain text with the attacker. And keep in mind that (even if minimally more complex) a wide variety of 2-factor solutions can be "phished" if I adapt my portal accordingly.
Information security: Employees as a success factor
I promised you to clear up the most important question at the end: Why am I telling you all this? The answer is: Who else?
It's important to understand that the attack I'm describing is - from a purely technical point of view - not an attack at all. I am writing you an email from an address that actually belongs to me. There is not even an attachment in it, let alone malware. You are redirected to a page on the Internet which does not try to compromise your system. And as I described earlier, this site is also perfectly secured and all traffic is optimally encrypted.
This is how it is with other (reputable) sites you log on to. And just like you enter your private password at LinkedIn or XING to authenticate yourself, you enter it now at my site.
From a technical point of view, phishers do not forge e-mails. They fake your entire company. And that's exactly why technical protection measures don't work. The solution is to recognize and prevent the attack - and that's up to you.
It is important to understand that from a technical point of view, I am not forging an email. I am forging your entire company.
And that's exactly why technical protection measures don't work. The solution lies in detecting and preventing the attack - and that's up to you. Just like appropriate measures to raise employee awareness in this direction.
Because if I set up this scenario neatly, detecting the attack is only possible by noticing the difference in the address, so in our case the ".eu" instead of your ".com". I am aware that one or the other of you is now absolutely sure that you have the necessary overview to do this even in your stressful everyday work. Therefore, I would like to give the more advanced of you a little food for thought:
Would you also recognize "samplecompany.com" as a fake? A little hint: The "l" is not an L but the Greek letter "Iota". For the human eye there is no difference between them, your computer probably sees it a bit differently. I can assure you that in all the phishing attacks we have simulated for companies, there has not been a single customer where no employee has revealed their data.
The be-all and end-all: Sensitize employees to attacks
So the question is not whether your colleagues would fall for such an attack. The question is much more how many employees will recognize the attack, how quickly they will report it to IT, and how much time IT has to respond.
This is exactly where the employee becomes a success factor for more information security and IT security in terms of security awareness.
I don't want to be one of those white-hackers who keep their strategies to themselves and enjoy the disastrous results of such attacks. Much more I would like to contribute together with you to make your company a bit more secure.
ISO 27001 in practice - Annex A
A DQS Audit Guide (based on ISO 27001:2013)
Audit questions and possible evidence for selected measures.
More than a checklist!
From experts in the field.
Now it's your turn: What I have just described to you is just one example of the many ways in which people and their sometimes negligent handling of information can be exploited and used to make a profit as an attacker. IT departments can only protect against this to a limited extent or not at all; that's their job. Think up attacks yourself, think about how you could hijack your colleagues and make it a topic at the (virtual) lunch table.
ISO 27001: Awareness as part of the catalog of measures
And then, put your company to the test on a regular basis and make awareness part of your security plan. Reading somewhat between the lines, you'll also find this in the internationally recognized standard for an information security management system (ISMS).
ISO/IEC 27001, for example, requires you to ensure awareness and thus sensitization of the weakest link in the chain on how to handle your company's information (Chapter 7.3 and Annex 7.2.2). This starts with something as simple as an email address. Other regulatory or legal requirements, such as the GDPR, also target the preventive approach of incident avoidance.
ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements
The revised version was published on October 25, 2022. We will continue to add information about the changes as it comes available.
"An ISMS according to ISO 27001 defines requirements, rules and methods for ensuring the security of information worth protecting in companies. The standard provides a model for introducing, implementing, monitoring and improving the level of protection. The aim is to identify potential risks to the company, analyze them and make them controllable through appropriate measures. ISO 27001 formulates the requirements for such a management system, which are audited as part of an external certification process. The standard is available from the ISO website."
Meet the standard's requirements with awareness measures, such as guidelines, training, communication about ongoing news, or even simulated phishing attacks, as we do for our customers. And: Be honest with yourself and ask yourself how successful your previous training measures have been in preparing you for an emergency like the one I have just outlined.
ISO 27001 - Questions and answers
Information of value is today's gold - and therefore also an asset to be protected in your company. ISO 27001 has many solutions in store.
An information security incident usually means chaos
While we're on the subject of honesty: How would you actually react to an information security incident triggered by a cyberattack? Admittedly, the topic of reactive security is always a bit uncomfortable, but it's something that should be talked about.
People like to think of it like a fire alarm drill - at some point during working hours, a bell rings unexpectedly, everyone leaves the building in an orderly and calm manner, waits outside for a bit and chats with colleagues about the weather, and after a while everyone is allowed to come back in and on the way they can grab a coffee.
But it's not like that.
My team has already been contacted by a couple of companies where there was an attack, and I can promise you: It's chaos. Even several days after the actual event. Among other reasons, that's because modern hackers take advantage of their victims' arrogance.
Make awareness part of your security concept and have your company regularly put to the test. Reading somewhat between the lines, you will also find this in the internationally recognized standard for an information security management system, ISO 27001.
I want to explain this to you, so let's go back to our phishing attack. Let's say that I, as the attacker, manage to remotely connect to one of your colleagues' IT systems using their password. Do you think I wouldn't know that someone in your company notices that there was an attack here and reports it to IT? Best case, you do personally, I'm fully aware of that.
Information Security Incidents: The backdoor into your system
That's why I do two things: First, I do something obvious that annoys your company and gives you something to do. For example, I send spam emails to your customers in the name of your colleague. That stands out and gives you and your IT department something to do. Now you can pull all your contingency plans out of the closet and work through the information security incident picture-perfect with your IT reps. Including sophisticated marketing measures that will polish the tarnished image to a new high gloss and perhaps make you look even better as a "survivor" than before. Professionals can do this.
But at the same time, as an attacker, I'm trying to set up a backdoor to a system that your IT won't notice in all the hubbub. It's like going into a jewelry store, knocking over the biggest display case, and secretly putting all the expensive rings and watches into my pocket while everyone is pouncing on the broken pieces.
Needless to say, my back door is extremely hard to find if you don't know what you're looking for. And then I don't do anything. For weeks, for months.
"I work my way through your network, quietly. I spread out - and I wait ..."
Now I'm trying to work my way through your corporate network, silently. Without any "noisy" software scanners, which will exhaust your network and alert your security systems. Completely manually, quasi old school. By the way, this is where the wheat is separated from the chaff on the hacker side. If your network was only exposed to security scanners in test scenarios, it won't help you at all now. I spread out and I wait - patiently. I try to identify when and how backups are made, who communicates with whom, and where your organization is most sensitive. In our example, I probably do this at night - or at least after core working hours, when I'm even less likely to be observed. And, of course, I cover my tracks every day.
Proactive IT security measures and, in particular, a pronounced security awareness are the most important building blocks in any company's IT security concept. Nevertheless, a well-developed security awareness also includes the understanding that it can happen to you. And if that should happen, you should be prepared.
And then - months later - the big information security incident occurs. Completely out of the blue for your company. For example, I then use one of the numerous encryption Trojans to blackmail you. "Coincidentally," however, because of my preliminary work, it runs under the highest privileges, bypasses your security measures, and spreads to the systems with your most relevant files first. And if, in all the time I've had, I've noticed a weakness in your backup system... Like I said, chaos.
Lack of awareness: perfect for a targeted attack
Yes, we are still in our example, but this is not Hollywood by any means. This is a common practice and a key reason why we still hear and read so often about companies struggling with such encryption Trojans. A few years ago, these were more or less unleashed on the Internet, and only the weakest sheep of the flock fell victim to them: the companies that had weak technical security on the outside.
Things are different today. The lack of awareness of employees is used to target companies and only when the victim is fully controlled is the automated attack software deployed.
I still believe that proactive IT security measures and, in particular, strong security awareness are the most important building blocks in any company's IT security concept - there are simply too many examples and concrete cases to back this up. Nevertheless, a well-developed security awareness also includes the understanding that it is possible to be affected. I include myself in this. And if that should happen, you should be prepared.
Minimizing the probability of occurrence
I deliberately included the example of the fire alarm in my remarks. This prepares the company for the event that, despite all proactive measures, a fire does break out. Some companies also have something like this for information security incidents and IT security incidents. And if that would be a bit too much of a good thing for you (it really always depends on the company in each individual case), I still have a tip for you:
Should you implement penetration tests or other attack simulations as part of your proactive security measures, don't settle for simply fixing the vulnerabilities you find. Always ask the question: Has this vulnerability been exploited in the past? Have backdoors been installed?
"Don't stop asking questions."
Or, put another way, treat every "finding" with the seriousness of an actual information security incident. That way, you minimize probabilities of occurrence while also putting your reactive security plans - which I sincerely wish you never need - to the test. Like the fire alarm.
All this is part of awareness and at the same time only a part of the whole. With this important component, however, you can hopefully smile at me when I ask, "If I put my mind to it tomorrow, could I catch you on the wrong foot?". Hopefully.
We will be glad to answer your questions
What kind of effort do you have to reckon with when certifying your information security management system? Find out, without obligation and free of charge. We look forward to talking with you.
Trust and expertise
Our texts and brochures are written exclusively by our standards experts or auditors with many years of experience. If you have any questions about the text content or our services to the author, please feel free to contact us.