In a recent cybersecurity briefing for the telecom industry, Deloitte published an article (https://www2.deloitte.com/global/en/pages/risk/articles/Telecommunications.html) that discussed three case studies illustrating how and why cybercriminals target telecom providers. Deloitte stated, “Telecom companies are a big target for cyber-attacks because they build, control, and operate critical infrastructure that is widely used to communicate and store large amounts of sensitive data.” It’s important to note that the specific threats facing telecom companies are not only referring to the telecom providers themselves. Instead, they include every organization that provides telecom services, such as contact centers, which include functions including customer support, sales hotlines, and helpdesks.
When performing an analysis of the specifics of each attack case study, presented by Deloitte, a common theme presents itself. For each incident, there are two elements: a technological invasion, and an exploited human vulnerability which was influenced via social engineering.
Let’s examine a case study, and determine the correct strategy to safeguard against such an attack.
A nation-state launched a successful cyber-attack against a mobile communications provider to spy on large groups of targeted mobile phone users. The cyber-criminals used a combination of several different techniques to carry out the attack: “The attackers first spoofed the personal social media pages of privileged users within the company. The spoofed pages then installed malicious software on the users’ computers, taking advantage of their elevated system privileges to penetrate deeply into the company’s network. This vulnerability ultimately allowed the attackers to access mobile communication data for surveillance purposes. The size and scope of the attack did significant damage to the organization’s reputation and confidentiality of the infrastructure. It also fueled customer concerns about privacy, which is a significant issue for the entire telecom sector.”
If we analyze the methods used to carry out the attack, the two elements, described earlier, become apparent:
- The attackers spoofed the personal social media account of privileged users. There are several issues highlighted here.
- People with high-level clearance accessing personal social media websites on company assets.
- How did attackers know whom to target?
- How did the person get redirected to the phony website?
- The spoofed pages then installed malicious software on the users’ computers, this is the technological invasion component.
- Taking advantage of their elevated system privileges to penetrate deeply into the company’s network. This part contains both, the social and technological elements:
- Why does one person have such high-level access to company data?
- Why was malicious software able to penetrate the company’s defenses and grant the attackers access to spy on customers’ phone calls?
In terms of a practical Cybersecurity strategy, just like the attack consisted of both elements, human and technological, so too, protection against such attacks requires both elements. It requires a human element which consists of educating oneself on the inherent dangers and updating company policies to account for potential risks, as well as implementing a robust technological safety net to shield against any kind of technological attack. The attack in this case study contained four social or human elements and only two technological components. So too, to protect ourselves against such an attack, we need to focus more on the human element, and only then shore up our defenses via technology.
For the human element, we need to understand that technology changes very frequently. Just like we make rapid advances in technology, so do the cyber-criminals. Every time a new safeguard is in place, they’ve already figured out a way around it. Therefore, we need to provide security training to our employees on a regular basis. For the people who have sensitive access to company data, they need even more education. For example, they need to be extremely familiar with what a phishing attack is, and how to instantly recognize it (i.e., if the spelling of a website site is off, or you were not expecting an email which asks you to “click here to log-in,” etc.).
Companies need to update their policies to reflect the genuine threats that exist today, especially if their company may be a target. For example, employees, especially ones with critical and sensitive high-level access, should be banned from logging into personal email and social media sites from their work computers. We have to start with the basics. Any online site that is not 100% business-related should be blocked. This cuts down on a significant amount of risk.
Next, we need to be prudent about what information we are voluntarily giving away. For example, we should not post on our company websites the names of our CIOs and CISOs. Their email signatures should not contain any sensitive information (e.g., title, phone number, and email address), which can then be turned around and shared with others. Finally, company policy should be very strict about who has access to what, and when that access should be revoked.
For the technological component, we should leverage our existing security technologies, such as firewall and anti-virus software, as well as implement a combination of Identity and Access Management (IAM), multi-factor authentication, and cyber defenses that leverage Machine Learning and Artificial Intelligence to fight today’s sophisticated cyber-threats.
For example, our firewalls should block any websites that don’t have a specific business purpose. Computer operating systems and company software should always be on their latest patch releases, and anti-virus software must be kept up-to-date. IAM enables you to manage permissions and access to data, even when roles change, and allows you to instantly revoke all access when an employee is terminated.
Should a critical employee’s workstation or login account become compromised, multi-factor authentication prevents the breach from getting too far. Multiple failed multi-factor attempts will instantly flag the account as suspicious, lock it until it gets manually released by a security administrator, and use UIB’s UnificationEngine® to alert employees to increase their vigilance.
Cyber defenses that leverage machine learning studies access behavior patterns of employees. Artificial Intelligence flags an account as suspicious when a New York City-based employee’s login account is accessed from a country in the Middle East when neither the business nor the employee had any business in the country.
In conclusion, there is no single solution to Cybersecurity. Cyber-criminals are incredibly sophisticated and employ a combination of techniques to break into a company’s network. Therefore, our security solution must also consist of a combination of education, best practices, technology, and a good dose of common sense.
About the Author
Avrohom comes from a 20+ year career in Telecom, where he helped businesses around the world install and maintain their communication systems and contact centers. He is a top-ranked global IoT expert by Postscapes.com, followed worldwide on Twitter, and a frequent speaker on using technology to accelerate revenue growth.
Listen to him share the latest technology trends, tools, and best practices, on #AskTheCEO — broadcasted on YouTube, with all shows available on iTunes and SoundCloud.