It’s all fun and games until someone lets a hacker in.
This week a Cisco employee unknowingly let an attacker into one of Cisco’s CRM systems. It was accomplished by a Vishing attack, or a voice scam, usually a phone call. The user was persuaded to give up enough information to allow the attacker access to the CRM, and a data set of client information was downloaded before the Cisco security team was able to terminate access.
Cisco Hacked – Attackers Stolen Profile Details of users Registered on Cisco.com
There are many lessons here.
Anyone with access is a target
Any employee, vendor, family member with access can unknowingly allow an attack. It is important to know and accept this. The best defense is an offense. Teach your people, your family, to recognize threats or don’t offer anything up. Hold your vendors to the same level you do yourself. If they refuse, maybe it’s not worth the relationship.
Cisco is a world-renown technology vendor with a strong presence in cyber security. As a cyber security professional, I routinely use one of Cisco’s news sites to keep up with the latest threats and technologies. Cisco Talos Intelligence Group – Comprehensive Threat Intelligence. This employee was probably undergoing constant security awareness training by Cisco and was not someone without credentials to be in a capacity with access.
If I had to guess, it was a quick lapse in judgement that allowed the attack, and that quick lapse is completely human.
All the resources do not matter
Cisco is a large company, with its own internal security teams. They do a very good job of protecting their company, their products, and their customers. It still happened.
I cannot iterate this enough. Cyber security’s weakest member, humans, can be its strongest. If a user allows an attacker in, all the systems in the world couldn’t stop the initial damage… it is damage control from that point forward. However, if the user recognizes the threat and hangs up… attack over, no damage. Crazy, I know!
Train your people. End of story, and threat.
In today’s world, any breach is a breach
A leak of information is so important in the modern internet, no breach is too little to note. A breach is a breach, and the information within can and will be linked to more information and used to catch bigger fish.
A fisher man first lures bait fish to a trap or net. He catches the bait fish and puts them on a hook to catch a bigger fish. If he want’s larger than that, like a shark, he hooks the larger fish and continues until he gets what he wants. The really, really, really big fish. The really big fish is the target, but get this, none of the little fish survive either. They are eaten, hooked, dragged through the water looking for the big fish. No fish wins this story.
What to do
- Invest in a Managed Service Provider that excel’s at security. If you need more, they will bring in the assistance of a trusted Managed Security Service Provider.
- Train your people. Family, employees, everyone
- Hold you vendors to the same standards
- Above all else, make sure your people know to report any issues.