On December 10, 2021, NetSPI Principal Security Consultant Larry Trowell was featured in an article written by David Marshall for VMBlog.com. Read the full article below or online here.
With the holiday season in full swing, cybercriminals know consumers are relying heavily on online shopping to fulfill their Christmas gifting lists, and organizations are at an increased risk of threats. Here’s some helpful advice from several cybersecurity experts.
NetSPI, Larry Trowell, Principal Consultant
“As we enter the holiday season, security professionals must be aware of the threats that come with holiday gifts, specifically smart IoT devices. These connected gadgets open up a new host of security risks for both employees’ personal lives and corporate networks.
Over the last two years alone, more people have set up multiple devices that connect to a single home network, including corporate-issued computers and tablets. With so many devices already in play, employees need to understand that some of the most popular technology gifts, such as robot vacuums, Tile, and Alexa come equipped with Bluetooth and Wi-Fi, cameras and geo mapping. These capabilities create a complex system that is more prone to attacks because it has greater potential for flaws and vulnerabilities within an increased attack surface – especially when integrated with other home automation products.
In tandem with this increased tech adoption, the pandemic and rise in remote work brought all corporate devices into employees’ homes and opened up Pandora’s box for potential vulnerabilities — home office networks are said to be 3.5 times more likely to be attacked than corporate networks. To better understand, assess, and manage how employees are accessing company networks during the holidays, companies should educate their workforce about potential risks to their home network that come with tech gifts, and set up regular tests of their corporate systems as computers leave the office. Having a security testing program set in place — prior to the holidays — can help to identify any vulnerabilities within the corporate network quickly and efficiently and allow employees to better understand all the risks at play this time of year.”
Immersive Labs, Kevin Breen, Director of Cyber Threat Research
“Cyberattackers like to take advantage of human behaviors and the holiday season is no exception. The increase in online and in-store shopping makes for an easy in, whether via phishing emails that mirror holiday marketing campaigns or fraud through the digital domain.
Toys and gifts are also becoming more high-tech and connected to WiFi or Bluetooth. Sadly, manufacturers don’t always consider the security risks when building these connected devices, since they’re hyperfocused on the user experience, which can present some exposure to users.
The human element also makes the holidays a particularly vulnerable time. There’s a societal pressure to exchange gifts, make memories, finish the year strong and make ends meet-creating a slew of open opportunities for cyber threats and disruption. We’ve seen some of the most impactful ransomware attacks happen during holiday periods, for example, where there’s minimal security staffing and an increase in external commitments. Cyberattacks don’t stop during the holidays, in fact, they’re often amplified, so it’s critical that organizations remain vigilant and prepared.”
Gigamon, Joe Slowik, Senior Manager of Threat Intelligence
“Supply chains are especially vulnerable to cyber attacks this holiday season. Supply chain attacks raise the prospect of stealthy, nearly impossible to detect intrusions by subverting fundamental trusts between network operators and their suppliers, contractors, and related parties…
…While concrete proof or direct evidence for any of these alleged incidents is circumstantial at best and typically nonexistent, the nature of the problem makes proving (or disproving) such events difficult or impossible. Once fundamental system trust is questioned, discussion quickly shifts such that one must prove that a device is not compromised which is a near impossible task.
One mechanism for adversaries, defenders and networker owners to retain significant ‘first mover’ advantage in that they own, manage, and (ideally) can design the landscape on which intruders must operate – emerges through implementing “zero trust” security architecture. One of the core mechanisms to achieve and maintain zero trust principles is rigorous network segmentation through physical and virtual mechanisms. System owners can reduce direct connectivity between devices and establish authentication or rigorous trust boundaries between segments. Adversary lateral movement then becomes significantly more difficult even if the initial breach takes place via a supply chain mechanism circumventing other controls. Thorough segmentation becomes especially valuable when paired with monitoring and visibility. System owners and network defenders gain insight into internal network traffic flows between discrete zones as opposed to just internal-external communications. Combined with a robust approach to C2 traffic monitoring described in the previous section, defenders gain layered visibility into adversary operations throughout multiple phases of operations.”
Datto, Ryan Weeks, Chief Information Security Officer
“The holiday season presents a “perfect storm” of opportunity for threat actors. Timing is the sweet spot for most attackers; the longer it takes for someone to notice there has been an intrusion, the more damage they can do. With an abundance of shopping deals, marketing emails and greater online traffic, the holidays are a perfect time for employees to fall for phishing tactics that enable hackers to propagate throughout a network – long before a company even realizes it.
In fact, phishing emails top the list of successful attack vectors at 54%. Further, a lack of education, weak passwords and poor user practices are among the top causes for ransomware attacks. In the weeks leading up to the holidays, companies should ensure their employees are properly educated and trained on how to spot phishing tactics and thwart intrusions that could quickly spread to infect an entire organization during the holidays.”
Veriff, Janer Gorohhov, Co-founder and Chief Product Officer
“The accelerated digital transformation of companies around the world has led to an increase in fraud rates globally, and retail is no exception. To combat this increase in fraud and maintain trust and safety online this holiday season, more organizations must leverage artificial intelligence tools to identify and stop bad actors in their tracks, saving online retailers money and protecting both their employees and customers.”