Matthew Wolfe, director of cyber security operations, Impero Software, has seen a lot in his career in tech but some things remain consistent: Human behavior is the source of online security breaches.
“There’s a funny saying where technology can be a great servant, but a terrible master,” says Wolfe. “A photographer could have 1,000s of photos in a Dropbox and have it in one folder. But then they share it and allow this whole folder to be accessible to anyone on the internet or, just one time that link is shared again and again. Now the whole world has access to that entire photographer’s library of photos. It’s really a matter of exploiting controls that were not used to be exploited but exploiting those normal control to do something malicious with.”
Common security exploits appear to be a routine operation, says Wolfe, which is why they can be so dangerous. For example, what appears to be a routine information request may actually be a phishing tactic – where an interloper is looking to obtain access to a network.
“The person in accounting on the first week on the job doesn’t know what a good email looks like compared to a bad email,” says Wolfe. “They don't know all the different sources of the good people sending emails in, so they just click on every link and, most of the time, that's when the exploit happens.”
Wolfe advises companies to make sure all employees are trained to know what constitutes a legitimate request from a verified sender and to remain vigilant at all times.
“Just because a person in an organization submits a request to review everyone’s social security numbers doesn't mean they should inherently do it,” he says. “The majority of the time when an issue like this happens is that there's not a check and balance.”
Even clicking on a single benign-looking link can result in a breach, says Wolfe, whose background includes serving as a cybersecurity noncommissioned officer in the United States Army. For example, Wolfe says he can craft an email that appears to look like it comes from a legitimate PayPal address.
“If you have proper control setup in your email box, it should be flagged,” he says. “If it's not, however, then it's going to show from 'firstname.lastname@example.org.' This email may say, “You have $150 or $3,000 or $20,000 waiting; click here to verify.” Because some users will trust a PayPal link without question, they may not look further and click on the link.
“The moment you click on that link, you’re done,” he explains. “I have [access to] everything. I can make it so that the website you go to does an automatic download and an automatic execute. Whenever you click on the file, it executes and then I own everything [on the computer]. It happens quickly.”
Once infected, Wolfe says a computer can then send sensitive data – without the user knowing it – over the internet to the dark web via a remote access trojan.
“A remote access trojan allows an attacker to be able to have access to the computer at all times and you don't know about it,” he says. “You don't know you're sending files out to anybody and everybody. That is one of the most undiscovered exploits out there.”Unless companies use monitoring software, these file transfers can go unnoticed.
Wolfe notes nefarious parties are constantly looking for exploits across thousands of companies, and only need a few successes for them to be highly profitable.
“It just takes one time,” he says. “The Los Angeles Unified School District [was recently hacked] through a server that was available online, and then now they're losing hundreds of thousands of critical records. That’s $100 million lost from one server being assessable.”
In the case of student records, social security numbers are valuable on the dark web.
“Someone under the age of 18 typically doesn't have a credit card,” he explains. “So if you get 500,000 social security numbers in a school district, those are unused. Now you can commit fraud very easily with the sheer amount that you gained. If you sell a number for $2 apiece, you're a millionaire.”
Wolfe recommends companies and school districts review their policies regarding access to SIS, including restricting access to secure networks and to only certain employees who directly need the information. He also said there is software available that can prevent the launching of an unknown executable, like a trojan.
Training of personnel, however, can also improve security. Wolfe recommends, that when rolling out new security protocols, a network administrator should gain support from key users to try the system first. Once they become champions of the new procedures, they will help reluctant co-workers see the benefits.