source: darkreading.com

From lengthy email signatures to employees' social media posts, we look at the many ways organizations make it easier for attackers to break in.

The most common slipup Snow sees in her research is companies oversharing online, especially on social media. Examples include human resources sharing photos and videos to attract job applicants, interns posting photos of new badges, and employees sharing photos at office functions.

"What they don't realize is that in those pictures or videos could be employees with their badges or information on whiteboards … a lot of things attackers could use to their advantage," she explains.

When Snow does a security assessment for a client, she looks for pictures of employee badges so she can create her own and bring it on-site. A quick Internet search for the company and its employees usually yields a photo of someone's office badge.

"It doesn't need to work," she says. "As long as it looks like everyone else's, I'm not questioned."

Of course, badge photos are only one example of content that shouldn't be shared on social media. Office pictures can also show an attacker how desks and cubicles are laid out, what type of computers employees use, and the programs, email clients, and browsers they're running. When companies participate in online trends and challenges – Snow points to the viral Ice Bucket Challenge as an example – they're not thinking of what they may accidentally reveal: close-up pictures of the building, access control systems, or Post-its with login credentials.

"They make it easy to duplicate and impersonate and have knowledge an outsider shouldn't have," says Hadnagy about the data companies unintentionally share online.

Out of Office: Watch What You Say

When asked about the most common ways companies make themselves vulnerable, Hadnagy first points to automatic replies, or out-of-office emails. Employees often include a precious amount of detail – enough for an intruder to take advantage, he says.

An example: "Hey, this is Chris, I'm away in Hawaii on my honeymoon. For project X, contact X person at X email address; for project Y, contact Y person at Y email address."

In writing full names, project names, and contact details in an automatic reply, employees not only tell attackers where they are but other people they can target. With this information, someone could email another employee with the company and pretend to be working with Chris on a project, obtain sensitive data, or request a wire transfer.

"It's something people don't often think about when they're doing out-of-office," Hadnagy says.

Overly Detailed Job Postings

Seemingly innocuous job postings may give attackers the exact information they need, IBM's Snow points out. Many companies go into very specific detail about the internal software they use.

"What that does is it gives an attacker a lot of insight into their internal structure," she explains. "They can then craft specific malware for their environment."

Instead of creating malware and determining whether it will work through trial and error, attackers with knowledge of the company's software will know exactly what they need to break in. If they didn't want to develop malware, they could use this knowledge to create a phishing campaign and lure victims based on the software they're using.

"My success rate will go up so much more knowing that they use that," Snow adds.

What's in an Email Signature?

Some employees reply to phishing emails to prove they can't be fooled – "You're not catching me, scammer!" – and play right into attackers' hands.

The problem with this, Hadnagy says, is it proves to intruders that a legitimate person is at the other end. They can learn the company's email format, a formula they can use to identify and target other people within the same organization, as well as the target's personal details.

Email signatures have a lot of information, he points out. Most people include their full name, office phone number and extension, mobile phone number, social media handles, and/or website link in a signature, which can be fruitful for future phishing attacks.

"I'm not saying don't use out-of-office or not to use signatures," Hadnagy continues. "What I'm saying is most people don't think those are viable attack vectors, so they do it and are unaware."

Failing to Verify Callers

One of Snow's usual pen-testing tactics is caller ID spoofing. "People trust caller ID," she says. "If someone's calling you, you don't question … you're just used to seeing that IT is calling or human resources is calling." Security training programs tell employees not to share their passwords, but they rarely emphasize the importance of questioning and verifying phone calls.

Caller ID spoofing and SMS spoofing are "huge," says Snow, and both are fairly easy for an attacker to pull off. When attempting to break into a company, she typically impersonates the IT or human resources department, she says, though her choice depends on the ultimate goal: If she's after technical data, she impersonates someone in the IT department; if she's looking for personally identifiable information, she pretends to be from HR.

"With phone calls and caller ID, if you do get a call, you should verify," Snow emphasizes. "Even if it's a number you know and they're requesting something, it's important to verify from the organization's point of view."

A New Kind of Credential Theft

Today's employees know better than to give their passwords over the phone, but they often fail to verify callers, Snow explains. Attackers targeting login credentials know this, and as a result they've had to adopt more creative ways to steal login data.

One of these strategies involves a phone call to the target. An example may sound like this: "Hi, I'm from IT. We're doing some updates, so I need you to log into this portal. I don't want your password; you just need to enter it into this site." The attacker sends a link to a site he controls, and then the victim logs in and sends his data. "It's been very, very successful," Snow says of her experience.

Other tactics are simpler, she says. Some attackers use smaller steps to obtain data they need to pull off a broader scheme. Simply getting the victim onto a website, for example, can give them a browser type and IP address. If attackers want a phone number or email address, they can send an email to human resources. Pretending to be a student seeking an internship can prompt a response from HR, complete with the always-informative email signature. Armed with this data, attackers are strongly positioned to launch an effective phishing campaign.

"I'm just looking for little pieces of information at a time so I can craft it all together in a larger attack," Snow says.

Watch Out for Gen Z

The frequency of employees posting photos on social media has "definitely increased" in recent years, says Snow, and it's likely to escalate as Gen Z enters the workforce.

"This generation has grown up online – they post their breakfast, their work life, everything," she explains. "Now that they're working, they're bringing that lifestyle into the organizations they work for, and it's affecting these organizations."

Snow says younger employees often yield the greatest amount of information in her red team engagements at IBM. As an example, she describes a major penetration test in which her goal was to mimic an attacker seeking access to a handful of crown jewels. In doing the open source intelligence (OSINT) for this project, she found a few younger employees were publicly sharing so much information that she was ultimately able to find the password reset instructions for the VPN. One of them had taken a picture next to their new employee badge, which happened to be next to the info.

"It was scary how fast and how much information [we could find] just by a handful of pictures," she says. With people posting dozens of pictures each day, it's happening more frequently. Snow advises companies tailor security awareness training in a way that's understandable to younger incoming employees so they're aware of their activity.

Poor Application Security

Beyond posting inappropriate information, a common mistake companies make is failing to ensure their Internet-facing applications, whether Web-based or API-based, aren't able to provide a level of access beyond what is needed for a particular app, says Jim Fulton, director of product marketing at Forcepoint.

This problem manifests in several ways: Web apps may not properly check the inputs they receive and consequently allow attackers to access more data than they're supposed to see. Some breaches originate when data is stored on an Internet-facing system that an employee didn't think could be accessed. If attackers break through an app or service running on that system, they could grab information they wouldn't have otherwise been able to obtain.

Sophisticated attackers can take this a step further by compromising a Web server or another Internet-facing application not to get things stored inside it, but to use as a "launchpad" for traversing the internal network, Fulton adds.

"Nobody wants to do something that helps hackers get in, but whenever information or systems are connected to the Internet or to something that is connected to the Internet, it inevitably happens," he says.

What You Can Do

Social-Engineer's Hadnagy says education is the first, but most difficult, step he recommends to prevent employees from accidentally leaking data. Oftentimes when he speaks about phishing attacks, many people haven't heard of voice phishing or SMS phishing scams.

"How can we expect a population to protect against a particular vector if they don't know what the vector is?" he says. Beyond educating employees on how these attacks work, businesses also should teach them what to do if they spot them. Actionable policies should dictate the steps for employees to take when they fall for a phishing scam, Hadnagy says. He's "still in shock" when businesses use shame, punishment, and fear as motivation for security awareness.

IBM's Snow emphasizes the importance of education and advises companies to practice security awareness training by conducting voice phishing and SMS phishing tests. This will let you know whether employees are understanding and reporting attacks when they happen.

Fulton advises teaching employees not to share information that could be used to assume their identities, as well as adopting multifactor authentication so it's harder for attackers to pretend to be someone they're not.