Once again, social engineering
Although its appearance in the media has been more discrete than is expected, a series of details of the same nature have occurred throughout this year which, with good reason, have made more than one manager of financial institutions lose sleep: theft on the wholesale market perpetrated by fraudulent stock in the SWIFT payment system.
There were various detonators that set off these incidents, but it seems that the common factor among all of them is the capture and subsequent illicit use of operating and authorisation passwords, as well as a presumed laxness of internal control measures.
The circumstances surrounding these thefts have highlighted a series of realities that have gone undetected:
- The criminal offences committed via social engineering (capture of passwords through phishing, spamming, etc.) have not only impacted on retail customer banking, but they may also undermine wholesale activity.
- Despite the great proliferation of mechanisms and technologies used for hacking in recent years, the most successful computer attack techniques continue to be those that act on the weakest link of the chain, the human factor.
Despite the stubbornness of the details, companies still dedicate their main efforts (and budgets) to measures linked to the improvement of infrastructure and perimeter security, whereas a proportionately very inferior amount of those resources are set aside to strengthen the internal governance measures of the security.
It is because of this that when faced with the question of what are our current three most urgent needs within the IT security framework, many would reply, mimicking a certain American director and screenwriter, that it is no other than training, training and training. And not only training of specialised staff, but also of all employees.
Good governance of security is only possible through the contribution of each and every one of a company's employees; thinking that IT security is only the responsibility of the departments of Systems or IT Security is like getting a one-way ticket to fraud and operational loss.
For this reason, such basic recommendations as the secure use of email – precaution when faced with incoming mails of an unknown origin, non-execution of programmes that are not properly accredited attached to emails –, adopting basic principles of caution on our information assets – not leaving information in easily accessible locations, not indiscriminately copying confidential information – or the preservation of the confidentiality of our passwords – which involves not disclosing it and frequently updating it –, are more valid than ever and they must form part of our daily routine.