In a recent Cybersecurity briefing for the Telecom Industry, Deloitte published an article (https://www2.deloitte.com/global/en/pages/risk/articles/Telecommunications.html) that discussed three case studies illustrating how and why cybercriminals target Telecom Providers. Deloitte states “Telecom companies are a big target for cyber-attacks because they build, control, and operate critical infrastructure that is widely used to communicate and store large amounts of sensitive data.” It’s important to note that the specific threats facing Telecom companies are not only referring to the Telecom providers themselves. Instead, they include every organization that provides Telecom services, such as Contact Centers, which include functions such as Customer Support, Sales Hotlines, and Helpdesks.
When performing an analysis of the specifics of each attack case study, presented by Deloitte, a common theme presents itself. For each incident, there are two elements: a technological invasion, and an exploited human vulnerability which was influenced via social engineering.
Let’s examine a case study, and determine the correct strategy to safeguard against such an attack.
Case Study: A nation-state launched a successful cyber-attack against a Mobile Communications Provider to spy on large groups of mobile phone users. The cyber-criminals used a combination of several different techniques to carry out the attack: “The attackers first spoofed the personal social media pages of privileged users within the company. The spoofed pages then installed malicious software on the users’ computers, taking advantage of their elevated system privileges to penetrate deeply into the company’s network. This vulnerability ultimately allowed the attackers to access mobile communication data for surveillance purposes. The size and scope of the attack did significant damage to the organization’s reputation and confidentiality of the infrastructure. It also fueled customer concerns about privacy, which is a significant issue for the entire telecom sector.”
If we analyze the methods used to carry out the attack, the two elements, described earlier, become apparent:
1. The attackers spoofed the personal social media account of privileged users — There are several issues highlighted here.
a) Social Element — People with high-level clearance accessing personal social media websites on company assets.
b) Social Element — How did attackers know whom to target?
c) Social Element — How did the person get redirected to the phony website?
2. The spoofed pages then installed malicious software on the users’ computers — this is a Technological Invasion component.
3. Taking advantage of their elevated system privileges to penetrate deeply into the company’s network — This part contains both, the social and technological elements:
a. Social Element — Why does one person have such high-level access to company data?
b. Technological Invasion — Malicious software that was able to penetrate the company’s defenses and grant the attackers access to spy on customers’ phone calls.
In terms of a practical Cybersecurity strategy, just like the attack consisted of both elements, human and technological, so too, protection against such attacks require both elements: a human element which consists of educating oneself on the inherent dangers, and updating company policies to account for potential risks, as well as implementing a robust technological safety net to shield against any kind of technological attack. The attack in this case study contained 4 social or human elements and only 2 technological components. So too, to protect ourselves against such an attack, we need to focus more on the human element, and only then shore up our defenses via technology.
For the human element, we need to understand that technology changes very frequently. Just like we make rapid advances in technology, so do the cyber-criminals. Every time a new safeguard is in place, they’ve already figured out a way around it! Therefore, we need to provide security training to our employees on a regular basis. For the people who have sensitive access to company data, they need even more education! For example, they need to be extremely familiar with what a phishing attack is, and how to instantly recognize it (i.e., if the spelling of a website site is off, or you were not expecting an email which asks you to click here to log in, etc.).
Companies need to update their policies to reflect the genuine threats that exist today, especially if their company may be a target. For example, employees, especially ones with critical and sensitive high-level access, should be banned from logging into personal email and social media sites from their work computer. We have to start with the basics. Any online site that is not 100% business related should be forbidden and banned. This cuts down on a significant amount of risk.
Next, we need to be prudent about what information we are voluntarily giving away. For example, we should not post on our company website who the CIO or CISO is. Their email signature should not contain any information (such as title, phone number, and email address), which can then be turned around and shared with others. Finally, company policy should be very strict about who has access to what, and to revoke access when the need goes away.
For the technological component, we should leverage our existing security technologies, such as Firewall and Anti-Virus, as well as implement a combination of Identity & Access Management (IAM), Multi-Factor Authentication, along with Cyber defenses that leverage Machine Learning and Artificial Intelligence to fight today’s sophisticated cyber-threats.
For example, our firewalls should block any websites that don’t have a specific business purpose. Computer operating systems and company software should be at their latest patch release levels, and Anti-Virus software should be up to date. IAM enables you to manage permissions and access to data, even when roles change, and allows you to instantly revoke all access when an employee is terminated.
Should a critical employee’s workstation or login account become compromised, multi-factor authentication prevents the breach from getting too far. Multiple failed multi-factor attempts will instantly flag the account as suspicious, and lock it until it gets manually released by a security administrator.
Cyber defenses that leverage machine learning studies access behavior patterns of employees. Artificial Intelligence flags an account as suspicious when a New York City-based employee’s login account is accessed from Iran! Especially when he didn’t have any flights scheduled to the Middle East!
In conclusion, there is no single solution to Cybersecurity. Cyber-criminals are incredibly sophisticated and employ a combination of techniques to break into a company’s network. Therefore, our security solution must also consist of a combination of education, best practices, technology, and a lot of common sense.
About the Author
Avrohom is the founder of #AskTheCEO Media, where he helps businesses to be heard over the noise on social media by translating your company’s message into words your customers understand.
Are you looking to generate more traffic to your website, boost your conversions, and get new clients? Reach out to Avrohom at https://asktheceo.biz