Tech News

What Uber’s data breach reveals about social engineering

Had been you unable to attend Rework 2022? Try the entire summit classes in our on-demand library now! Watch right here.

Few methods are as common amongst cybercriminals as social engineering. Analysis exhibits that IT employees obtain a median of 40 focused phishing assaults a yr, and lots of organizations are struggling to intercept them earlier than it’s too late. 

Simply yesterday, Uber was added to the lengthy checklist of corporations defeated by social engineering after an attacker managed to realize entry to the group’s inner IT methods, e mail dashboard, Slack server, endpoints, Home windows area and Amazon Net Companies console. 

The New York Occasions [subscription required] reported that an 18-year-old hacker despatched an SMS message to an Uber worker impersonating help employees to trick them into handing over their password. The hacker then used it to take management of the person’s Slack account, earlier than later getting access to different essential methods. 

The information breach sheds gentle on the effectiveness of social engineering methods and means that enterprises ought to reevaluate reliance on multifactor authentication (MFA) to safe their workers’ on-line accounts. 


MetaBeat 2022

MetaBeat will deliver collectively thought leaders to provide steerage on how metaverse know-how will remodel the best way all industries talk and do enterprise on October 4 in San Francisco, CA.

Register Right here

Social engineering: the low-barrier strategy to hack  

In some ways, the Uber knowledge breach additional illustrates the issue of counting on password-based authentication to regulate entry to on-line accounts. Passwords are simple to steal with brute-force hacks and social engineering scams, and so they present a handy entry level for attackers to use. 

On the identical time, irrespective of how good an organization’s defenses are, in the event that they’re counting on passwords to safe on-line accounts, it solely takes one worker to share their login credentials for a breach to happen. 

“Uber is the newest in a string of social engineering assault victims. Staff are solely human, and ultimately, errors with dire penalties might be made,” mentioned Arti Raman, CEO and founding father of Titaniam. “As this incident proved, regardless of safety protocols in place, data will be accessed utilizing privileged credentials, permitting hackers to steal underlying knowledge and share them with the world.”

Whereas measures like turning on multifactor authentication may also help to scale back the probability of account takeover makes an attempt — they gained’t absolutely stop them.

Rethinking account safety 

Typically, consumer consciousness is a corporation’s greatest protection towards social engineering threats. Utilizing safety consciousness coaching to show workers easy methods to detect manipulation makes an attempt within the type of phishing emails or SMS messages can scale back the probability of them being tricked into handing over delicate data. 

“Normal cybersecurity consciousness coaching, penetration testing and antiphishing training are highly effective deterrents to such assaults,” mentioned Neil Jones, director of cybersecurity evangelism at Egnyte. 

Organizations merely can’t afford to make the error of considering that multifactor authentication is sufficient to stop unauthorized entry to on-line accounts. As a substitute, firm leaders must assess the extent of threat based mostly on the authentication choices supported by the account supplier and implement extra controls accordingly. 

“Not all MFA elements are created equal. Components similar to push, one-time-passcodes (OTPs), and voice calls are extra weak and are simpler to bypass by way of social engineering,” mentioned Josh Yavor, CISO at Tessian. 

As a substitute of counting on these, Yavor recommends implementing security-key know-how based mostly on fashionable MFA protocols like FIDO2 which have phishing resilience constructed into their designs. These can then be augmented with secure-access controls to implement device-based necessities earlier than offering customers entry to on-line sources.  

Source link

Related Articles

Back to top button

Adblock Detected

Please consider supporting us by disabling your ad blocker