Pub. 4 2014-2015 Issue 2

O V E R A C E N T U R Y : B U I L D I N G B E T T E R B A N K S - H E L P I N G C O L O R A D A N S R E A L I Z E D R E A M S September • October 2014 7 FEATURE ARTICLE “Once inside, they steal or distort confidential data and often damage security features to enable larger future attacks.”  Think Like a Hacker  continued on page 19 Think Like a Hacker Tips to Defend Against Advanced Social Engineering and External Penetration TYLER LEET DIRECTOR, RISK AND COMPLIANCE SERVICES CSI REGULATORY COMPLIANCE Unfortunately, that was a spoofed email ad- dress, and you’re the victim of a phishing scam. By clicking that link, you’ve just self-injected malware onto your computer, possibly exposing your company’s network—and customer informa - tion—to cybercriminals. It’s the work of an unethical hacker who used a type of cyberthreat—advanced social engineer- ing—to trick you into unwillingly participating in their crime. Perhaps the most dangerous enemy facing today’s financial institutions, hackers attempt to infiltrate your network in the name of malicious goals: for their own financial gain, to perpetrate a broader theft, or to harm your company’s reputation. According to the 2013 Internet Crime Re- port1 by the Internet Crime Complaint Center (IC3), that organization received 262,813 con- sumer complaints with an adjusted loss total of $781,841,611 last year. That’s a 48.8 percent in- crease over 2012. And any one of those consumers could be a customer of yours. The Two Major Types of Hacks—Social Engineering and External Penetration Testing There are two main methods used to accom - plish a hacker’s dirty work—social engineering, by which perpetrators exploit lapses in employee judgment to uncover system information, and external penetration, whereby unauthorized users gain access to your network. Social engineering applies psychological tactics to poach confidential information from unsuspecting staff. Cybercriminals ingratiate themselves to employees or manipulate them into giving up classified data via face-to-face encoun- ters or such destructive tactics as spoofed emails. More advanced social engineering is emerging, including the phishing examplementioned above. Likewise, external penetration comes in many forms, including password attacks, session hijacking, viruses and worms. Hackers patiently I magine you’re working at your desk one day and an email pops up with the subject, “Ur- gent Matter: All Employees Please Update Your Contact Information.” The message content appears to be legitimate, and even includes your pres- ident’s email signature and the company logo. You’re asked to click a link in order to update your private information. With no red f lags waving, you do it.