Page 49 - index
P. 49
Lesson: Ensure all employees have a heightened sense of awareness and sensitivity to
questionable requests like these and are prepared to deflect the situation by either directing
requests to the IT department or even playing dumb. “I don’t know” can be an answer when
talking to a social engineer.
Scenario: An attacker physically places a USB drive near the entrance of a company. An
employee finds it upon arriving to work in the morning, and in order to identify who it should be
returned to, plugs it into their laptop.
While good natured actions like trying to identify the owner of lost property is usually rewarded,
in the case of protecting your company’s network, it can be the reason an attacker is able to
infiltrate.
Lesson: Don’t connect your computer to any unknown USBs, external hard drives, etc.
because it can be much more harmful than you think. Shamoon and Dark Seoul both started
this way. Once the malware is introduced, it can propagate like mad.
No matter the social engineering tactic, attackers are persistent in how they research victims to
ensure their story is believable. Companies should put all employees through rigorous security
training and be mindful of what information is publicly available, since something as simple as a
name next to a job description could be the bad guys’ ticket in.
About the Author
Mike Buratowski, Vice President of Cybersecurity Services, General
Dynamics Fidelis Cybersecurity Solutions, manages the efforts of the
General Dynamics Fidelis’ Network Defense and Forensic Services
team – which has investigated more than 3,500 breaches – to help
customers prevent, contain and remediate breaches, along with
providing forensic evidence for the prosecution of cybercriminals. He
has also served various operational roles within the Department of
Defense’s Computer Forensics Laboratory, including examiner in the
Major Crimes & Safety section. Additionally, he managed the US-CERT contract, where he led
efforts in improving the nation’s cybersecurity posture and managed cyber risks facing the
nation.
49 Cyber Warnings E-Magazine – May 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
