[Reading time: 2 minutes 13 seconds]
Cybersecurity Without Insanity? It’s as simple as 3 – 2 – 1…
This week: Today is Saint Patrick’s Day, so it’s a holiday in Ireland. While some people in Ireland may spend the day complaining to their friends in the local pub about the disgraceful stereotype of Ireland as a country full of drinkers, here are a few stories to keep the rest of us you sober. Including why we should watch out for a Pot of Gold on LinkedIn. Sláinte!
3 – How public information and a few emails can beat your cyber defences
The US Cybersecurity and Infrastructure Security Agency (CISA) recently reported on how attackers were able to gain access to a large critical infrastructure organisation using public information and a few phishing emails.
Fortunately, as mentioned by Secure The Village and ZDNet recently, the attackers were working for CISA and were seeing if they could gain access before real cyber attackers found a way in. The attackers used information available online to identify staff. They used this information to target these staff members with tailored phishing emails. Once one of these staff members was fooled, the attackers gained access to information about who in the organisation had more powerful system access (aka ‘privileged access’). They then targeted these individuals with phishing emails, eventually fooling one person, and thus opening the door for the attackers to gain powerful and persistent access.
Amongst CISA recommendations, it is no surprise to see a recommendation that Multi-Factor Authentication is enforced wherever possible, so one staff member being fooled into revealing their password is not enough for an attacker to gain access to a system.
2 – The AI* arms race: Cyber Security Edition
We all need to keep up with developments in the AI* world. The true impact of AI on our lives may be unclear. But it is inevitable. From a cyber security perspective, this article on Forbes discusses how the latest version of GPT-4 (the AI behind ChatGPT) can be used by cyber criminals for malicious purposes.
It’s an interesting read, as it describes how AI could help unskilled cyber attackers to get better at their ‘craft’. But I think this is the key point / source of relief:
“It doesn’t improve upon existing [cyber attacking] tools [but it is] effective in drafting realistic social engineering content”.
In other words, phishing emails are going to get more difficult to spot.
1 – Watch out for a Pot of Gold on LinkedIn
Cyber gangs working for North Korea are increasingly using fake profiles on LinkedIn to offer targets extravagant jobs at big-name firms with massive salaries, in the hope of gaining their trust and increasing the likelihood of the target opening a malicious document or visiting a malicious website.
As reported by CyberScoop, previous scams involved gangs targeting people through emails. But now that people are more aware of how they’re targeted through such emails, the attackers are now moving to platforms such as LinkedIn to try to avoid detection.
My advice is to ensure that any cyber security awareness training includes warnings about the likelihood of staff being targeted through fake LinkedIn profiles and/or interesting but fake job offers.
* PS When I write about AI, I am talking about Artificial Intelligence. If you are seeking information on Artificial Insemination, I recommend you read the Farming section in the Irish Independent.
PS To listen to Cyber 3-2-1 and a roundup of my other articles this week, all episodes are accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.