I recently participated in a cybersecurity conference in Bonn, Germany, organized by the Fraunhofer Institute, the German Ministry of the Interior, and the Federal Office for Information Security. Every year, government entities and businesses come together to discuss pressing cybersecurity issues.

Despite many organizations investing in IT security by implementing firewalls, antivirus solutions, conducting regular penetration tests, and strengthening their systems, there remains a significant gap in understanding the actual methods used in attacks. This often leads to a misleading sense of safety and security. It is crucial to comprehend how and why malicious entities aim to compromise your organization in order to develop an effective defensive strategy.

Why Organizations Are Targeted Most organizations have only a vague notion of the reasons behind cyberattacks. For businesses—our primary focus—the main motives include stealing trade secrets, damaging operations, or extracting funds. Notably, the latter, involving the theft of money, is the most prevalent reason businesses fall victim to cybercrime.

Cybercriminals mainly operate for personal gain and profit. While there are some instances of cyberattacks being used for political purposes, these cases are relatively rare. Businesses should be particularly vigilant regarding systems and personnel involved in financial transactions, as these are often the most vulnerable.

Social Engineering and Physical Intrusion Many in the tech sector believe that software vulnerabilities and unpatched systems represent the primary weaknesses leading to data breaches. Although these technical flaws are indeed a concern, they are not usually the main entry points for professionally orchestrated attacks.

Social Engineering as a Gateway The quickest and most effective way to infiltrate secure systems is often through social engineering. This technique involves manipulating and deceiving individuals to gain unauthorized access to information or systems. It relies heavily on exploiting human psychology, trust, and weaknesses to trick people into sharing sensitive data or taking actions that benefit the attacker.

While you may be familiar with the concept of social engineering, here are some practical examples of how attackers gain access to systems, often involving multiple individuals.

Impersonating Victims Over the Phone Most customer service centers utilize only basic authentication measures. A customer number, birth date, and current address are frequently sufficient to access sensitive information. Additionally, many front desks and telephone systems lack proper training to combat social engineering attacks. Here are a couple of real-world examples I have encountered.

Example: Contact Center Shuts Down Web Servers An attacker contacted a small cloud provider's service center in Europe, requesting the shutdown of specific virtual machines for testing purposes, claiming they couldn't access them through the admin console. After providing personal details for verification, the contact center agent proceeded to terminate the virtual machines.

Example: Disabling the Local Power Grid An attacker employed social engineering techniques and a brute-force dialer to ascertain the phone number of a power grid operator's service manager. By observing maintenance workers, the attacker noted their communication methods. Eventually, he called the operator, requesting the remote shutdown of a specific power line.

Culling Information from Waste Bins Confidential information is often found in the trash. Despite many organizations providing shredders, employees frequently neglect to use them. As a result, sensitive materials end up in the waste. Some data, although not labeled as "confidential," can be beneficial to attackers—like a table football tournament’s results that may help identify potential targets.

Example: Accessing Competitors' Revenue Figures An attacker noticed a fast-food branch disposing of weekly revenue reports generated by their POS system. By visiting various branches during closing hours, the attacker collected printed revenue reports from the trash, compiled them into a spreadsheet, and sold the information to competitors as market research.

Even seemingly irrelevant information can be valuable. For example, printer test pages often contain IP addresses of printers and associated devices, which can help map the network. This scenario exemplifies "information leakage," one of the most overlooked security issues in organizations today.

Gaining Access with a Fake Identity You might assume that organizations are physically secure due to reception areas, front desks, and access control systems. However, the human element often creates vulnerabilities in these security measures. Factors like undertrained security staff or maintenance workers can enable attackers to enter buildings without authorization.

Example: Accessing the Accounting Department An attacker infiltrated the headquarters of a waste management company. The ground-floor service center, open to the public, provided the perfect cover. During busy hours, the attacker followed an employee into the main building, successfully mimicking the company’s dress code. Consequently, he accessed the accounting department and obtained confidential financial documents that were inadequately secured.

Offices often feel like second homes to employees, fostering a sense of security that blinds them to unauthorized access risks. Regular visitors or customers can also provide opportunities for attackers to gain physical entry. Thus, safeguarding documents and equipment within office spaces is essential.

Employing a Venus Trap for Access A "venus trap" refers to using an attractive individual to draw in a target, often with romantic intentions, to extract sensitive information. This could involve a woman attempting to gain confidential details from a male executive or vice versa. While this may sound like a plot from a spy movie, such scenarios are more common than one might think.

Example: An Affair Leading to Confidential Data Theft A research and development director engaged in a romantic affair with a woman he met at a conference. After spending a night together, she managed to see his phone's PIN. While he was in the shower, she accessed the document management app and extracted sensitive research data, later uploading it to her cloud storage for a foreign competitor.

Having physical access to a target's devices enables various additional attacks and espionage methods. The advantage of a venus trap is that victims often feel ashamed to discuss such incidents, making them less likely to report them. A personal relationship can diminish the perceived threat level.

Deploying Long-term Intrusions Most cyberattacks are quick operations aimed at specific targets, whether for data theft or financial gain. However, some attacks require prolonged efforts involving the clandestine introduction of malicious applications within organizations.

Example: Integrating Third-party Applications In today’s cloud-centric world, attackers need not access employee machines directly. Services that authorize third-party extensions can be exploited to gain access to company cloud services. Additionally, malicious browser extensions can monitor the websites and SaaS applications used by victims without needing direct access to their machines.

Example: Infiltrating Networks with Malicious Devices To avoid detection when manipulating machines, attackers may opt to deploy external devices that can remain hidden for extended periods. In one instance, an attacker gained physical access to an office and installed a small single-board computer (like a Raspberry Pi) in a meeting room. This device acted as a wiretap, capturing confidential discussions for weeks.

Example: Using Trackers in Workspaces Dropping tiny computers or embedded devices with power banks in inconspicuous areas allows attackers to track individuals' movements by capturing Bluetooth MAC addresses. This data can reveal customer counts, employee movements, and office layouts.

The trend of deploying malicious devices is increasingly popular due to their diminutive size and low energy requirements. Such devices can operate for days on compact power banks, and attackers often disguise them to avoid detection, such as hiding a small board in a power outlet cover.

Evolving Attack Methods While many companies focus on upgrading firewalls, installing antivirus software, and training staff against phishing attacks, professional cybercriminals have already adapted their tactics. Why send a fake phishing email when you can simply use an actual email account of the target?

Today, safeguarding against cyberattacks extends beyond technical defenses. The human element has become the most significant factor in cybersecurity, shifting the focus from purely technical aspects to psychological considerations.

You Can’t Outsource Cybersecurity Anymore Cybersecurity is becoming intertwined with general security practices. Consequently, both security personnel and employees must receive training on the threats they may face. Relying solely on outsourced cybersecurity services for quarterly reviews and penetration tests is no longer adequate. Cybersecurity awareness must permeate every level of the organization—from receptionists to cooks to executives.

How can multi-factor authentication (MFA) secure your applications if an employee inadvertently authorizes an attacker using their MFA device? What if a low-paid intern has access to an MFA device? Cybersecurity is not solely the IT department's responsibility; it necessitates collaboration with HR and other departments to regularly discuss security and elevate awareness about potential threats.

Thank you for reading. Jan What has been your experience with cybersecurity? Have you encountered such attacks? I look forward to your comments.