Six clicks: How hackers use employees to break through security walls

Six clicks: How hackers use employees to break through security walls

Summary: Employees are prime targets for cybercrime attacks against your company. Find out the six top ways criminals gain access to your valuable data, IP, and more.


 |  Image 1 of 7

  • Thumbnail 1
  • Thumbnail 2
  • Thumbnail 3
  • Thumbnail 4
  • Thumbnail 5
  • Thumbnail 6
  • Thumbnail 7
  • No one wants to think about the idea of their company's customer data, infrastructure, IP or network security as the full-time target for hired-gun hackers, government spies or crime syndicates around the world.

    Unfortunately, it's true. Your most vulnerable point of attack is often the people you trust the most: your employees.

    By the standards of today's black market for thieves, your employees are in the crosshairs for some of the most serious attacks on your company. A new report from RAND Corporation "Markets for Cybercrime Tools and Stolen Data" (commissioned by Juniper Networks) explains that in addition to unpatched vulnerabilities, the human element will continue to increase as the weak point for attacks.

     Updates, you can do. Vulnerabilities can be patched. But people... are people.

    The majority of successful security defeats are phishing attacks, where the victim clicks a link or downloads an app or attachment that infects...anything it wants to. And a phishing attack can to a lot of damage.

    One email spiked with innocuous-looking malware to a vendor cost Target an estimated 40 million credit cards and 70 million user accounts, which were hijacked and sold on the black market within days. Target's December disaster came from a phishing attack sent to employees at an HVAC firm it did business with.

    What's worse, employee-targeted attacks, when successful, often go undetected until it's too late. According to Inside the Hacker's Playbook.

    76 percent of breached organizations needed someone else to tell them they've been hacked. Employee awareness could be worth more than the latest anti-malware software, and will save you millions in the race to prevent cyber theft. (Trustwave, 2013)

    Each of the following pages show ways hackers can access critical information from a company's employees:

  • The Front Page News Attack

    Right now, phishing is among the primary ways unwitting employees are used to attack your company. Phishing attacks are currently sophisticated in a few very specific ways, and RAND's report tells us that phishing is only going to get more sophisticated as the black market for cybercrime matures.

    Today's typical phishing attack is an email disguised to look familiar, fooling the employee to click on a link or download an attachment. But the trend for cyber criminals is exactly that: popular trends, and most especially front-page news.

    RAND explains the black market trend in news-item phishing, which often play on emotional events. "Different pieces of the market react differently to outside events (e.g., natural disasters, revelations to Wikileaks, or releases of new operating systems).

    Front-page news items are often used in spear-phishing campaigns (e.g., "click this link to donate to victims of Haiti earthquake") raising the number of potential victims."

Topics: Why business leaders must be security leaders, Mobility, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • People who knead people ... are not the luckiest

    Violet Blue wrote "Updates, you can do. Vulnerabilities can be patched. But people... are people."

    So, according to you, we're all just Internet cows waiting for our turn in Tim Berners-Lee's meat grinder?

    On the contrary, people can be trained. Just to give one example, we can instruct our employees that, before clicking on a link: hover the mouse over it, look at the left-bottom corner of the screen to read the URL, and compare it against the domain we expect. If something like russian.cyber-criminals.commie is seen, report the email as spam.
    • I trust the good intentions of "people".

      I do not trust their ability to perform every task perfectly in every situation. Who would?
      • In every situation, I don't expect that

        However in certain situations where they have been told "Don't do this!" as in my post above this one? If they do it, they are fired unless they have a very good explanation, like "My manager told me to do it!"

        Then, it's the manager that is in for a pound of hurt and a pink slip.
    • Many well trained people have made mistakes

      so why should this be different?

      Or are all accident to be attributed to "untrained" people?
  • From an employee's viewpoint...

    I work with a lot of people, some smart and some - not so much. Computer security is drilled into our brains and still we all have the moment where we are not paying attention to what we are doing and accidentally open something we shouldn't have. You know, that 'Oh Crap' moment... Luckily this has not happened to me, knock on what appears to be wood, but it could. No one ever told me to hover my cursor over a link and compare the URL to the domain I should be seeing. I learned something new today and for that I say - Thank you.
    • You're welcome

      Most companies have eliminated training and now only do one of two things:
      - They only hire people with the exact skills required of the job (read some current job ads and you will see a laundry list of skills, often including products which only that company uses), and/or
      - They hire Indians via H-1B visas for much less money than Americans would earn.

      I could start work for a company and create a training program to eliminate most social engineering problems, but management often does not appreciate the dilemma.
      • Training

        Training is a partial solution. There are some users who do not understand basic security concepts. Whether they are just clueless or willful does not matter. The effect of their blunders is the same.

        Also, even the most aware, conscientious users will have lapses ("Oh crap") and do something very stupid.

        One work around is use the least privilege model for user accounts but the problem is some OSes are do not support this very well.
      • Third alternative

        Just pack up manufacturing and move to Thailand. We should really not knock Indians or Thailand. Management will search the world and find the cheapest labor possible. Those locations will change every few years
  • stopdatabreaches


    Privileged user accounts represent a big target for outside attackers as well through APTs (Advanced Persistent Threats) and social engineering. Organizations must embrace separation of duties along with least privileges and deploy new technologies that restrict privileged user access to data such as encryption, fine-grained access controls and detailed auditing and reporting of attempts to access any sensitive data.
    Data Breach

    • Just say no to privileged user accounts

      "Privileged user accounts represent a big target"

      A large part of the blame belongs to Microsoft. There has never been an explanation during installation along the lines of "create an admin account and only use it for installing software and configuration; create regular accounts and use them for surfing, Office, email, etc." 8 actually made things worse by allowing people to use Hotmail/Live/Outlook email accounts for admin logon.

      Ubuntu made the same mistake, but Fedora and other Linux distributions which mimic Unix with respect to root are okay.
      • this is why you have sysadmins

        to configure your computers...
  • In this context

    it's not called "hacking" by security experts. It's called "social engineering." Hacking is defined as externally penetrating network security. Social engineering (in this context) is the use of people who have access in order to gain access.

    There are a number of red hat consulting firms who do tests on this sort of thing in order to help management update their policies. They use people to gain access, plant custom non-harmful viruses where they can and demonstrate all the markers they left that show where vulnerabilities are.
    Jacob VanWagoner
  • People are the doesn't always work

    Years ago when the I love you virus was going around, an email was sent telling people not to click on any emails that said I love you. Not 5 minutes after the email went around and was read by my wife, she got an email from someone that said I love you and she clicked it and opened it and sent a whole new round of emails to the people in her address book. To this day she can't say why she clicked on it, my wife is intelligent but for some reason that day she did what she shouldn't have even though she was told not to.

    Today I will tell her about issues with her home computers and to avoid this and that, I still am never sure if she is actually listening to me but that is a whole other issue. I hound her about patching and A/V and security but who knows if she listens. People are the issue...
  • I Quit Reading on Page 2 after Auto-Scroll

    OK, now we not only have advertising on pages, but when we scroll to read what we want, the browser automatically scrolls back to the top -- and then to the bottom -- I GUESS so that we have to look at the ads. This, as if having to deal with the Gallery presentation is'nt bad enough on its own?

    I'm just closing the tab. I'd love to read the content, but I can't deal with this.
  • Target Data Breach

    Fascinating. I knew there had to be some kind of "Inside" help in order to hack into the Target data networks. This has helped clear up that picture for me, it was "Unwitting" help from inside, due to a phishing attack - on a vendor account! It shows you the level of vulnerability that exists in just about every system out there now. Our network is probably typical these days where we have desktops, servers, switches, routers, backup devices, UPS's, and phones all on one "Mixed" backbone so we've got plenty of places where malicious code can originate - even in places we never thought of before. We have users who periodically fall victim to these malicious and get malware onto their machines and the network. It's always a mess, and costly to deal with.
  • and then there is a link on the ZDnet page

    telling me that if I clink on the link I can find out "How People are Paying Less than $50 for New iPads"
  • web heading for uselessness...

    It is years since it was proposed that a program could run isolated from the rest of the computer to read through emails and attachments so that all the nastiness of the web could do no harm. Where the hell is this in use?

    Lack of decent security is going to make the wed useless and worthless in a very short time if we continue on the current path.
    dumb blonde
    • Not dumb at all!

      We are getting to the point where it is dangerous to do any of the things for which computers, the web, browsers, etc. were invented in the first place. An analogy in the offline world would be if a significant amount of gasoline were contaminated with sugar in the pipeline, and any fillup could damage the engine severely, with no way to be sure which pumps were sugar free, thus negating the benefits of driving (I realize that alternative fuels are being developed, but this would make things very difficult until the economy could be reorganized to avoid gasoline completely ... I remember the oil embargo of the 1970s, gas lines, even/odd plate fillup days; starting under Nixon, before Carter even ran for President, contrary to what Rush stated on his show once in the 80s).

      At what point do the dangers of using a technology of convenience outweigh the convenience itself? And not just under special circumstances (don't use the elevators in a fire, use the stairs to evacuate), but often enough to make the technology worthless?
  • Security

    That means hackers are highly skilled individuals having every technique to beat our technical experts. The only difference is that they are exercising what they know in order to make damage!
    • 1/2

      Second half of what you just said is not necessarily true