The Pandemic’s Impact

Another appeal for Awareness Training . . .
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .

For years and years, social engineering was most prevalent via email phishing in terms of impact.  The likelihood was high, and the impact was critical.

We also saw some social engineering in the form of pretext calling.  In fact, we have always believed pretext calling failures were more prevalent than phishing, albeit having minor impacts.  This is because we continually demonstrate, as we pen test banks, that organizations who haven’t been properly trained will cough up information over the telephone

But the pandemic has changed all this.   The bad guys, or in this case, white-hat red teamers, are looking for vulnerabilities in the applications we use to facilitate our remote working.

The Microsoft Teams vulnerability is very easily exploited from a social engineering vector.   I can imagine going after a salesperson with the promise of a big lead.  I can see email interaction, wanting to discuss a partnership to bring in those big leads, resulting in an invite to a Teams meeting.  That then gives me the ability to put malware on the unfortunate salesperson’s endpoint.

The solution is better endpoint security.  That will lower the impact.   But, the way to lower the likelihood is better security awareness training.  It may be as simple as warning your employees about the dangers of Teams, starting with those who would be highly motivated to meet with new third parties (loan officers, sales persons, etc).   But don’t rely on an email.  This is important enough for a good old fashioned talk.  In fact, never forget . . . Awareness is 9/11’s of the battle!

Original article by Dan Hadaway CRISC CISA CISM. Founder and Information Architect, infotex

”Dan’s New Leaf” – a fun blog to inspire thought in  IT Governance.