If Jack Dorsey’s Twitter account can be compromised, what kind of protection can the rest of us hope for? Not only is the CEO of Twitter a savvy user, but he should have some of the best cyber security professionals behind him. What went wrong?
What's been publicly reported is that a SIM swap — when an attacker tricks your cell provider into thinking you’re activating a SIM card on a new mobile phone — might have allowed the perpetrators to use an SMS service to access Jack’s Twitter account.
That cyber criminals would go to such lengths might be less surprising than you think. Think about how much we rely on SMS messages and, more generally, our phones as our primary means of two-factor authentication (2FA). Except here, 2FA likely would have worked properly if social engineering were not also involved.
Social engineering, simply put, is the art of manipulating people into doing things. In the context of cyber security, it’s used to obtain valuable user information that can later be leveraged to gain access to accounts and systems for nefarious purposes. In Jack’s case, it seems an attacker gathered enough data to convincingly impersonate him and convince his provider to activate a new SIM card, thereby enabling direct access to his account.
While technology is quickly catching up to social engineering tactics in some attack vectors — for example, by leveraging machine learning to identify vulnerabilities and correct them — users themselves remain the most vulnerable vector of attack. We all know that a weak password reused in multiple accounts can quickly give a malicious user access to multiple systems. And we know that most malicious users will use the path of least resistance.
Phishing, vishing and impersonation
The most common forms of malicious social engineering are phishing, vishing and impersonation. Most organizations are familiar with phishing and have strong products in front of their users to prevent them from clicking on the wrong or suspicious email links.
Vishing is a similar concept, except instead of email, attackers use spoofed phone calls to extract information or influence action. More and more, we’re all starting to get phone calls from what appear to be legitimate numbers trying to either help us with tech support or discuss sensitive IRS information over the phone. This is vishing in action.
Impersonation is probably the hardest social engineering feat to pull off. If done correctly, your SIM card might be swapped to a different number without your knowledge. Think about it, would you want someone to have access to your phone? A malicious actor could go a lot further than just posting spammy tweets. They could access your bank account, email account, work files and see every picture you've ever taken!
Social engineering is a real and growing threat your organization must be prepared for.
National Cyber Security Awareness Month
October is National Cyber Security Awareness Month — an annual campaign designed to engage and educate users through events and initiatives that raise awareness about the importance of cyber security and provide tips and resources to stay safe online.
As important as it is to have a solid security posture based on a strong architecture and clear strategy, it’s just as important that everyone in your organization and community knows how to combat social engineering.
While most people know to distrust email attachments and links from unknown sources, not everyone is as informed when it comes to the tactics attackers might use over the phone. Make sure everyone in your organization knows it’s always OK to question the validity of a request for information made over the phone. If you're unsure whether a caller is legitimate in the least, it's always preferable (and acceptable) to tell the caller you'll call them back later. A little skepticism can go a long way to help you stay protected.
Establishing strong passwords in all aspects of your life can also go a long way to preventing someone from successfully impersonating you. It might sound silly that your first pet’s name was “Blue,” but it just might keep your phone account safe from someone trying to validate as you. Make yourself as hard to impersonate as possible, and be aware of what information can be easily harvested from social media or other public-facing outlets.
Educate and rationalize
Every organization should have a cyber security education program that supports strong information security policies. This education program should be updated annually to include the latest trends in social engineering and how users can best protect themselves. It’s critical to disseminate this information across the entire organization.
Organizations need a combination of strong technical protection and continuing education for all users. If you’re interested in making sure your organization is protected, I recommend a Security Tools Rationalization Workshop from WWT. This workshop can help you re-evaluate your existing security tools against industry standards to ensure the efficacy and maturity of your overall cyber security program. Our security experts will work with you to rationalize your security tools, including educating your team on where social engineering might play a role in the following (where applicable):
- Devices: Workstations, servers, mobile devices and IoT.
- Applications: Software, interactions and application flows on devices.
- Network: Software, interactions and application flows on devices.
- Data: Information residing on or traveling through endpoints, apps and networks.
- Users: The identities of users on your network.
Remember, financial institutions and most people in IT will never ask you for your password over the phone or via online chat. If you feel that you’ve been the victim of impersonation and at risk of identity theft, the FTC has some great resources.