How the recent CIA hack could have been prevented.

If you’ve watched the news this week then you’re probably aware of the fact that the CIA Director John Brennan fell victim to a cyber attack and had his personal information leaked onto the web. You might be thinking “what advanced group of hackers pulled this one off?”. The answer is none. The hack was simply a teen using one of the simplest methods possible: social engineering.

Social engineering is a non-technical method of intrusion used by hackers. It relies heavily on human interaction and often involves tricking people into breaking normal security procedures. It’s the simplest way for anyone to attack an organization – and therefor one of the biggest risks for any company’s information security. In this case, the teenager responsible for the attack had a very simple approach; The teen called Verizon and acted as another Verizon employee. The Verizon staff easily exposed information such as the last 4 digits of Brennan’s credit card and the hacker was able to use this information to repeatedly reset Brennan’s AOL email password. Eventually he gained access to the account and was able to expose sensitive information, such as security clearance paperwork.

So why should you care? Two reasons: because you may have employees that will fall for this type of trickery and/or you may have vendors that you do business with that are susceptible to this type of attack. Ultimately there is one, and only one, way to prevent social engineering attacks: employee information awareness training. Educating your employees on how to properly handle information and to be aware of these types of attacks significantly decreases your risk of falling victim to a social engineering attack (and many other types of attacks).

We know that employee training takes time – but with ISE it doesn’t have to take a lot of time. Social Engineering is a main topic in our Essentials training – and it takes less than 40 minutes to complete the entire program. So Verizon, if you’re reading this, $19 and 40 minutes would of prevented this attack. We know the saying “any publicity is good publicity”, but something tells me that Verizon isn’t too excited about being in the news for exposing enough information to allow the director of the CIA to be hacked. Our advice (outside of purchasing training) is the same as always: care more, share less.