Are You the Next Weakest Link?

Featured article by Michael J. Mihalik, Chief Information Security Officer, ProSight Specialty Insurance

How the “Trojan Horse” Has Evolved in a Digital Age

Most of us remember the myth of the Trojan War, when the Greeks attempted to defeat the city of Troy. The battles lasted nearly 10 years. Then one day the Greeks appeared to retreat, leaving behind a huge wooden horse as a gift to the Trojans. The Trojan Horse was brought inside the city gates allowing the enclosed Greek warriors to infiltrate the city. The Greek warriors opened the city gates to allow the rest of their army to enter and defeat Troy. While historically the moral of this story is to beware of gifts from enemies or strangers, there is also a powerful message that suggests people are the weakest link – they can be their own worst enemy.

Does history repeat itself? The short answer is yes, but today the motivation doesn’t reside in conquering a city; instead, critical information is the prized trophy, so to speak—information such as formulas, trade secrets and personal data. The attackers can be organized criminals, nation states or individual hackers. These attackers are targeting society’s weakest link, i.e., people, and they are doing so by way of a new “Trojan Horse” that manifests as malware, Phishing attacks and Spear Phishing scams.

Beware of Malware

Malware has been around for years and is most commonly known as a virus, Trojan or worm. These attacks are typically executed by sending Internet users an email enticing them to open an attachment or click on a link. Typically, the attacker plays on human emotion and uses a cute picture or funny video. As soon as the link is clicked, a malicious code is deployed and turns the computer into a zombie. As a zombie, the computer executes malicious attacks, unbeknownst to the victim, on other computers creating a network of infected computers called Botnets. These Botnets continually spread the malicious code and launch attacks on important systems disabling them.

Phishing for Problems

Phishing scams are broad attacks aimed at people by creating a sense of urgency or appeal. Some commonly-used prompts include: “We need to verify your account,” or “You have won a $50 gift card,” among many others. With this particular approach, the attacker is trying to initiate a response so that they can acquire information like usernames and passwords, credit card information, bank account information, etc. They build fictitious websites that look just like the real website and ask users to login. When they do, hackers will capture the sensitive information, enabling them to do things like steal your money or gain access to a protected network.

When Phishing Gets Personal – Spear Phishing 101

Spear Phishing is a sophisticated form of Phishing. Spear Phishing emails often have an urgent message and appear to come from a trusted source, such as a friend or colleague. Unlike general Phishing, with Spear Phishing the attacker researches their intended target by scouring the victim’s LinkedIn profile, Facebook page or other online social media sites. With this research, the attackers then create a highly customized email that appears relevant to the intended targets. This way, the individual is far more likely to fall victim to the attack.

Phishing and Spear Phishing attacks are not limited to just emails. Phone attacks are just as damaging. One such scam happens when attackers pose as the Internal Revenue Service (IRS) and advises the target that they are late in paying their taxes. The scam continues with the threat of garnishing wages or seizing assets if the victim does not immediately transfer funds to cover the outstanding taxes.

Verify First. Trust Second.

All of these attacks work on attacking the weakest link: people. These are attacks based on trust and human nature. Deep down, we like to believe that all people are inherently good. And while this is a commendable virtue and personality treat, it also makes us a potential target for scams and data breaches. Instead, we need to operate with an abundance of caution. To bring the historical context of this issue full circle: Ronald Regan made famous a Russian proverb in negotiating an arms control treaty with Mikhail Gorbachev, “Trust, but verify.” Today, a slight variation is in order in that we must verify, then trust. In the digital world things happen very quickly, and waiting to verify could be devastating.

Michael Mihalik is the Chief Information Security Officer of ProSight Specialty Insurance Company in Morristown, New Jersey. He has over 33 years of experience in property/casualty insurance with leading companies. Prior to ProSight, Mr. Mihalik was the Chief Privacy Officer for Tower Insurance Company of New York. He specializes in risk assessment, gap analysis, policy development, security awareness training, strategy development and implementation. Mr. Mihalik holds two security certifications: Certified Information Systems Security Professional (CISSP) and GIAC Information Security Fundamentals (GISF). He has been a member of the Information Systems Audit and Control Association (ISACA) since 2009. You can learn more about him on LinkedIn.