Countering the threats of social engineering

By Andrew Avanessian, COO at Avecto.

The manufacturing industry is a cornerstone of the world's economy, contributing trillions of pounds every year. The powerhouses of China, the USA and the UK alone account for over $3 trillion.

These three giants are just the tip of the iceberg too, underlining how vast and valuable the industry is. But with value comes risk, and one of the fasting growing risk areas is cyber crime. The recent WannaCry ransomware attack, which halted production lines in several Renault factories in France and one UK Nissan factory, highlights that the industry still has a way to go when it comes to protecting itself against cyber attacks.

The FBI has estimated that $400bn of intellectual property is leaving the US each year because of cyber attacks, and a report from IBM-X-Force has stated that cyber attacks targeting manufacturing companies are on the rise. It's the value that manufacturers hold, both in money and intellectual property, that make them such a target. On top of this, their vast supply chains offer many routes into the business for the savvy hacker.

It's fair to say – compared to some other industries – that the manufacturing sector has been slow to react to the increasing threat. A recent report from Deloitte found that only 52% of manufacturing executives surveyed are confident that their organisation was protected from external cyber threats. The uncertainty highlights a sentiment felt in the majority of businesses – would we be resilient to a targeted cyber attack?

The problem is, cyber criminals are evolving their methods at an incredible pace. This is certainly true in the social engineering space – a category of attack that involves deceiving employees to convince them to divulge sensitive information or grant access to the corporate network.

Most people will have experienced social engineering in the form a mass phishing emails. One of the most well-known examples is the Nigerian prince asking for asking for a large sum of money to be transferred to his bank account. But they are becoming increasingly difficult to spot as criminals spend longer researching their targets and crafting incredibly convincing communications.

This targeted approach is known as spear phishing. A spear phishing email might look exactly the same as a typical note from a colleague or supplier. The email address might look the same and the content could have idiosyncrasies that you'd expect. It can catch out everyone, from the most junior of staff to the CEO. A single click can subsequently compromise a company's entire network.

A targeted approach is becoming simpler because of the amount of personal and corporate information that is now freely available online – as well as (often) illegally obtained material that resides on the dark web, such as leaked usernames and passwords. Such data enables social engineers to credibly assume the identity of a high-ranking member of staff, or even a close friend or colleague.

Most high-profile hacks begin with some form of social engineering. The email leaks during the American election last year started with a simple phishing attack. This year, DSV Global Transport and Logistics in South Africa were hit with a ransomware attack, finding all its files encrypted with the attackers wanting money to release unencrypt them. Other manufacturers in the country were hit too. It's believed all of these attacks started with a simple phishing email.

Although all industries are at risk of social engineering, manufacturers will always be a prime target. A campaign dubbed 'Operation Ghoul' discovered in 2016 saw a criminal group aggressively targeting manufacturing and engineering companies in the Middle East with financial motives. The initial attack method? Spear phishing emails.

Social engineering attacks can have devastating consequences and yet the mode of attack is often simple. The good news is, it is simple defences that can protect manufacturers.

The key is to get the foundations of cyber security right and not rely on 'next generation' solutions that often come at the expense of the basics. These basics include:

• Remove administrative rights from all employees. On a practical level, this means staff only have access to the software and information that they need carry out their job. This means that if an employee falls victim to an attack, the infection can only spread so far due to the controlled access.
• Educating staff. Some spear phishing emails are almost impossible to spot, but 99% can be identified if you know what to look for. Put time and resource aside to train your staff about social engineering and the consequences.
• Application control. Don't allow unknown software to execute. This is often where malware is housed. Approve safe apps, restrict the rest.
• Patch your software. Software vendors release updates when vulnerabilities are found in their apps. Update as soon as you feasibly can to close the door to hackers.

If there's anything that we can learn from recent events, in particular the WannaCry ransomware attack that affected a huge number of businesses across the world, is that businesses big or small, regional or global, and in every sector, will be vulnerable if they don't have the right security measures in place. But if manufacturers get the foundations right and they will be in a much better position to deal with the social engineer.