As I’ve been pointing out over many posts, hackers are generally not using very sophisticated techniques to break into corporate servers. Weak passwords vulnerable to brute-force guessing, or back-doors that were never removed from purchased software provide simple attack vectors. Could there be anything simpler? In fact, there is: how about just asking employees for their passwords!
I’m referring, of course, to phishing attacks, in which the bait is an email containing personal information hackers have collected through prior reconnaissance. The email is crafted to look official, often appearing to come from the bank or credit card companies holding your accounts (and money) or recently, online services that store emails, files, or other social information.
The goal is to catch the victims off guard while they’re scrolling going through their inboxes, and then getting them to click on a link that takes them to a non-legitimate web site. The more data that hackers have on the “mark”, the easier it is for this grift to work.
Often the hackers will focus on high-value targets, and this con has taken in folks at the executive and C-level, where the goal is usually to extract IP or other confidential and possibly embarrassing information.
One way to mitigate attacks that target corporate insiders and employees is through education. A few companies have taken this idea to an interesting and provocative level: one CEO at a major media company, himself a victim of a fake email, decided to phish his own employees to see who was susceptible.
The CEO learned that 58% of those who opened his phish-mail, took the bait and clicked. Disappointed, he decided to turn this into a teachable moment, ultimately sending out a company-wide email to employees, informing them of the results and politely asking for greater vigilance.
Is there a similar type of experiment that could be performed in the context of the file security scenarios we write about in this blog—i.e., sensitive content with “everyone” permissions?
I suppose a security conscious executive could seed a popular folder on the corporate server, say with a file that has a tempting name, such as Highly Confidential: Test Results of our Secret Dharma Project [or fill in blank with your own bait], give it very broad access permissions, and then step back to see what happens.
Varonis DatAdvantage, by the way, would provide lots of good data points for this study: number of employees who accessed how many files, how often, which employees, etc. And Varonis DatAlert could even alert you in real time when it was happening—think of it as a file system honeypot.
Companies that perform this file phishing experiment and share results with their staff actually accomplish more than educating employees in spotting confidential data: it could be a part of an overall IP protection program. If there was a trade secret violation incident that ended up in court, the type of exercise I just sketched out would be solid evidence that the company is serious about its IP. These and other employment practices are just one of the reasonable measures that help legally prove companies have a trade secret.
By the way, there are more details on this subject as well as some surprising results on IP leakage in a recent survey we conducted.