I was at the Hacker Halted Conference in Atlanta, GA this year. One touch point sounded in every event from
the keynote to session speakers “social engineering”. The topic social
engineering is one of the main attack vectors into a company from web sites to phones.
Companies are acknowledging that
employees are attack points for hackers to reach inside our business. Companies are starting to change their views
about employees from employees are Trojan Horses in their company, to educating
them as human firewalls. Employees can be training to recognize a potential
attack on their human emotions, thus the employee awareness programs were born.
The Employee awareness boom is not a bad thing for companies. Thousands of companies have shown that employee
awareness training works. Repeated studies show employee Phish-prone percentage
drops more than 90%.
concern or question, why we need to update training for new and bold
attacks. Normally, employee awareness
programs focus on email Phish, USB attacks, and web browsing. We should add mobile attacks to this year’s
devices enable our businesses to reach more customers, and allow employees to
be more productive. The same technology,
unfortunately, allows the hacker to reach inside your business. Remember our
employees are not acting with malicious intent.
didn’t mean to go to that website on her iPhone, “iPhones are safe”. Tim didn’t
realize that he was sending emails around the world from his phone. Tim thought that only happens from his PC.
The “How to” attack a phone.
There are more than 2
billion smartphones around the globe, making mobile devices a rich target for
malware authors and other cyber attackers. Malicious apps sometimes find a way
through the initial screening process and are caught only after they have been
downloaded onto mobile devices by unknowing consumers.
The general idea is to get an employee to download an app. Allow the app to install with administrative permission. It is that simple.
You may ask where are these
apps coming from. The picture below
shows how many attack vectors a phone can have.
So in conclusion, yes I do test client iPhones during our quarterly due diligence security testing. Employees would get a text message from their IT department to update an app. A certificate pop up warning will be seen, if the employee excepts the popup the rest is history.
So please add mobile awareness training to your company.