For many years security professionals have advocated using layered safeguards to reduce the risk of threats. While many organizations do employ multiple technologies like firewalls, anti-virus and intrusion detection to try to stop hackers, these guys are getting very good at navigating our layers of security. It’s like the old Mario and Donkey Kong video games where you had to jump over land mines, climb ladders, wait for doors to open and avoid swinging obstacles to reach the bonus prizes.
As an example of how many layers they are able to traverse, consider the reported attack on a financial institution’s enterprise network, which started life as a hacked Facebook account. (Click HERE for the full story.)
To make a long story short the attackers did the following:
- They captured the Facebook credentials of an individual who worked for a financial institution
- They then scanned the user’s Facebook profile to find recent social events involving co-workers on Facebook (finding a company picnic)
- They then sent emails to multiple Facebook friends who were co-workers saying, “Hey, have a look at the pictures I took at the company picnic!”
- The emails contained links to malicious web pages that attempted to launch a keylogger on the victims’ computers.
- They then scanned the keystrokes of an employee whose laptop had become infected with the keylogger and found the authentication credentials for the corporate VPN
- They infiltrated the VPN and infected a computer inside the corporate perimeter and performed vulnerability scans around the network to find servers with sensitive information on them.
The attack lasted as long as 2 weeks. If the attackers’ vulnerability scans had not been so “noisy”, they may not have been noticed, and the company could have suffered severe losses in terms of costly data breaches and corrupted databases, as well as system repairs.
So, what will happen now? Will the company add another layer of security to prevent a similar attack in the future? Probably… and these attackers will probably move on to other organizations with a bit less security. The cat and mouse game continues.
What’s interesting in this story is that the initial attack on the employees’ Facebook friends is pretty hard to defend against, since nothing seemed out of the ordinary. There really was a corporate picnic!
What would you do next if you were a security manager at this financial institution?
Share with your friends!
What about no direct access to facebook.com (and other, if not all, sites) from a company workstation that is in the VPN? There are so many risks with these new rich internet applications, but since they don’t seem to be really necessary for work the solution might be easy..
Good article Scott!
Tim, the situation is going to be different for every company. While it may be easy to block access to social networks in a financial institution that doesn’t have a business need for everyone to access to these sites…imagine the situation for a PR or marketing firm? These businesses have legitimate business requirements for using social network sites. I’m sure there are lots of businesses large and small that have similar needs.
I wonder if the employees in this story were using their company laptops at home *not* connected to their corporate VPN using Facebook? So even if the company did block social network sites while on the company network, this wouldn’t matter. This is a common problem organizations with laptops and a mobile workforce struggle with. Once you disconnect from the VPN…how do you control what web sites employees go to? This is why porn is still a problem on corporate PC’s..they do it outside the corporate VPN then bring back a spyware/malware infected PC into the corporate network. 🙂
Unfortunately, this is a tough problem to address. There are lots of variables and every business and company culture is different when it comes to using social media. One thing that we as security professionals *shouldn’t* do is just say no and block all access to social networks without looking for some solutions to lower the risk. For example, there are some technical solutions that could be implemented (like visualized or sand boxed web browsers, ie: Citrix sessions, virtual machines or even using Windows SteadyState). You could also wrap some additional network monitoring around the “authorized” usage of social networks and top it off with some user education + a good social media policy. The key here is knowing what the business needs are and how security can help lower the risk of using these sites.