In my recent post, I discussed how in today’s world, identity is ubiquitous – it reaches into almost everything we touch, while identity theft and fraud have become near constant topics in the news.
I also used the fictional example of John Smith to show the potential ramifications of revealing personal information on the internet can have on an individual. We saw that revealing seemingly innocuous personal tidbits had far-reaching and disastrous consequences. Malicious entities were able to collect John Smith’s personal information and then used it to steal his identity, effectively ruining his career and personal life.
But that's just John's mess...
Now, while the John Smith example, is bad, you might think to yourself, “but that’s just John’s mess…” Well, unfortunately, things can get far worse.
Before the bad guys escalated things to the point of ruining John's life. Before they were uncovered and at least stopped in their tracks. Before anyone, even John, noticed something was amiss… The hackers went after his employer.
Crafty and cunning, the attackers used a phishing campaign, cloaked in secrecy behind a fake John Smith identity. They emailed the IT department, asking for urgent help in resetting his password. The fake John Smith then provided his “parents’” phone number at which to reach him because he was “out of town.”
When the Help Desk called back, they asked a series of identifying questions, intending to make sure John Smith was the person asking for their help. The questions asked were “What was your eldest child's first name?”, “What is your favorite baseball team?”, and “What type of dog do you own?”
We all know where this is leading, right? Of course we do! The informative profile that the hackers built up from their research on John gave them all of the information they needed to pass the test. The Help Desk not only reset his password, but also assisted “John” with remembering where to download VPN access software and how to install it to connect back to the corporate network, since he was “away from his home office,” and had to “urgently deal with a customer issue.”
With their feet in the front door, the hackers proceeded to plunder, pillage, and ultimately, take control of the entire network, leaving no data untouched and no stone unturned. The score: Hackers 1, John and his company 0.
This was all just a story right?
Unfortunately, no, this isn’t just a fairy tale. It happens every day, certainly more often than gets reported, and it isn't always immediately caught. Data might be compromised for days, months, or even years before someone realizes what has occurred.
How many customers have been affected? How will the company recover from their blemished image? How many fines will have to be paid, and who might face legal ramifications? All of these questions will need to be answered.
Rights and wrongs
Reviewing the example of John Smith and his company, let's look at what was done right, what was done wrong, and what might be done differently, in order to safeguard John's personal identity and strengthen his company's security posture.
- John's company implemented challenge / response questions.
- The company's support organization used them to 'validate' his identity.
- John published an excessive amount of personal information to his social media sites.
- John's employer, while having done well by implementing challenge / response, used questions for which the answers are more commonly known and shared information.
- The company relied ONLY on the challenge / response security measure.