January 18, 2023 Sleeping With The Enemy... Are Hackers Inside Your Company? We all know what a hacker is, it's a teenager named David trying to hack into a government defense system because he thought it was a video game. In reality, it's a multi-billion-dollar multi-faceted industry that's scooping up information from unsuspecting companies at unprecedented rates. More concerning is, it's all happening right under their noses. The more confident a company is the more likely they are to be victims.
Working with some of the nation's top fortune 500 companies we have begun to piece together a picture of what hackers are doing and it's not good news for companies. Hackers (impersonating staff) are embedding themselves so deep inside company infrastructure, it's almost impossible to tell them apart from real employees.
The Problem... To give you some idea of what companies are facing we are going to release a couple of scenarios that have been detected in recent months. The following examples fall under the heading of Social Engineering. "Social Engineering" is just a fancy term for human hacking, IE the exploitation of company infrastructure or simply put, getting information from employees.
What are they after? Understanding their methods might be easier if you understand what the hackers are after. The targets can be just about anything but here are a few samples of company assets that hackers are targeting; Usernames and passwords to gain access to company systems. Trade secrets and product design information like source code and hardware design specifications. Personal information on employees for sales or recruitment purposes. Manufacturing costs during pricing wars, and company internal procedures and event data for phishing and email impersonation attacks.
Becoming invisible... Every company will have its own vulnerabilities but (hands down) the preferred method will be through people. Simply put, it's getting someone inside the company to talk. If done properly, an experienced hacker will get in and out completely undetected. The attack generally starts with about four questions; How big is the company? Who inside the company has the information the hacker wants? How many different ways does the data exist inside the company and what are the company's internal policies for giving out information?” If a hacker is told that they must have a badge number to get the information they will simply get one. Getting a badge number is as easy as finding new employees and it's easy to find the names of new employees online. Hackers will then call the new employee and say; "Hi, I'm John in HR, welcome aboard. I'm just closing out your file do you have any 401K questions or anything?" During the call, the hacker will confirm (you guessed it) the employee's cubicle and phone number, building, manager's name, and of course, the employee's badge number. Basically, the hacker is looking to collect whatever information is needed to impersonate that employee. Now the hacker is effectively invisible. If a hacker is detected during a call, employees will often tell a hacker why they failed. IE "What's your badge number?" That's a mistake. Hackers will just use that information to develop a better ruse. Many people believe that if they accuse a hacker of being a hacker they will cave and apologize. Nothing could be farther from the truth. To a hacker, social engineering is just sales calls, you handle the objection and reclose.
Another tactic...Another popular tactic employed by hackers is setting up mail-stops inside targeted companies. That's right, they'll set up their own mail-stop inside your company. It's easier than you think. Even in our digital age, most companies still have mail-rooms to deal with the large volume of incoming mail and pagkages they receive. Mail-rooms and their employees are also used to move paper and other items from one employee to another across campuses or divisions. Mail-room employees are seldom trained for Social Engineering attacks and turnover is high even if they did. Hackers call the mail-room and say; "Hi I'm Joe Smith and I'm the new guy in sales, I'm traveling and won't have a hard address for a week or so. Can you set me up a temporary mail-stop until I get settled in? I can come by and grab stuff when I'm in town." If successful (and the odds are in the hacker's favor) the mail-room employee will set up a mail-box for Mr. Smith who can now call any employee in the company and say--- "Just inner-office it to me." The hacker is now invisible. All the hacker has to do now is wait a day or so and call the mailroom-- "do I have anything in my box?" The rest is easy to figure out. It's estimated that about 5% of companies have mail-stops in their own mail-rooms that go to employees that don't exist, or worse, they'll find mail-stops that are set to auto-forward to an address that is not on file. Mail-rooms are seldom audited and to make matters worse many companies have multiple mail-rooms across their locations.
Digital VS Human...The methods used by hackers are too numerous to mention but one thing is for certain, the days of sitting at a computer trying to guess user names and passwords based on research acquired at the public library are over. Human hacking is much faster. I heard a question posed at a security conference recently that attempted to compare digital hackers to human hacking. The question: If a digital hacker and a human hacker were given the same target, who would win? The short answer is, the two are very different but a human hacker can often acquire credentials via social engineering that a digital hacker may not have access to, even if multi-factor authentication is used. Most of the time digital hackers and human hackers work as a team. If a human hacker discovers that the company just had a fire drill or the alarm went off accidentally the digital hacker will release a phishing (email/messaging) attack with the message; "Did you hear the fire alarm in your building today? YES/NO? If you are working from home click here." That may be a silly example but all the hacker needs is for one person to fall for it.
The point.. Modern cyber attacks are quickly evolving into human-first attacks, starting their digital attacks with social engineering. To combat this approach many companies are making the mistake of training their employees about hackers. That will never work. Success can only be achieved by changing the way a company communicates with itself internally and by knowing your company's unique vulnerabilities. This is what escapes most companies, the data that a hacker is going after is like a big jigsaw puzzle. During a data breach, information is almost never collected from just one person but from many people from all across the company. Data is collected piece by piece over several days or even weeks until the puzzle is complete.
Astounding...What hackers can learn from just talking to employees is astounding. The one piece of the puzzle that you possess may seem innocuous to you but to a hacker it could be the final piece that puts it all together. Many companies have made headlines recently after falling for (not digital) but Social Engineering attacks. Other than intellectual property on company products, hackers are getting credentials from employees and in turn, accessing company systems.
Too smart...Many people believe that they are too smart to get hacked. If that's you then you have probably been hacked. One survey of hackers indicated that some of the most helpful people in a company are its top executives. The problem is that employees are trusting their instincts.
The numbers..It is difficult to know real numbers but our experts believe that most digital attacks, whether it be ransomware, systems access, or phishing attacks, all start with some kind of exploitation of company infrastructure. Someone inside the company gave up the beans. Around the world, Social Engineering attacks are costing companies $billions in lost revenue.
If you have any questions about this article or if you would like some information about String Logic's I.P. retention services, feel free to email me at Jim@StringLogic.net
MEDIA CONTACTPublic AffairsString Logic Inc.408-866-0700press@StringLogic.net ------------------------------------------------------------------------------------------- FOR IMMEDIATE RELEASE:
Sunday, July 12, 2020
Trump/Biden Race To The White House, The Firm That Got It Right
In 2016, as standard polling predicted Hillary Clinton would take the White House, a Nashville Tennessee pushed out some very different numbers.
For three months ahead of the 2016 election, using proprietary algorithms that scan Internet chatter, String Logic Inc., predicted that Donald Trump would take the White House.
Using String Logic as a race predictor was something new for String Logic. The technology is primarily known in the Human Capital arena as a way to isolate top talent and information gathering for the corporate intelligence sector.
Using String Logic technology to predict a political run was first attempted in 2012. "It was just something to try," said String Logic Founder Jim Ball. String Logic did get it right in 2012 but so did most polls and race predictors. Since 2012 String Logic maintained a perfect track record in the political arena, then came Donald Trump. This time the numbers fell far away from standard polling. "To tell you the truth I didn't believe it myself," Ball said. "On November 8, 2016, at 3:22 AM, as we pushed out the final numbers to Twitter, we thought -this has the potential to make us all look pretty dumb." But as that morning turned into night, it was clear that String Logic was seeing something that mainstream polling missed.
Since 2016, running the logic for smaller races and a few paid clients, String Logic has continued to maintain its perfect track record. Now the firm is pointing the technology at November 2020. As the first set of numbers roll in, String Logic has already drifted away from standard predictors.
To follow String Logic's 2020 political race numbers, go to https://www.stringlogic.net/politicaldatacapture/ or you can follow the firm's numbers on Twitter. https://twitter.com/StringLogic
MEDIA CONTACTPublic AffairsString Logic Inc.408-866-0700press@StringLogic.net