Amrin Maria Khan, security software engineer at IBM, said such people engineering can start with a simple friend request on a social media site such as Facebook or Instagram. And you accept the request because you needed to talk to someone at that point. And you start chatting. You don’t realise that it’s a fake profile on the other side. “As you get comfortable, the hacker could ask you when’s your birthday, where are you now, what’s your pet’s name. And typically, these are what people set their passwords as,” Amrin said.
Ashwini Varadkar, senior security analyst at NotSoSecure, said there are techniques like dumpster diving, where hackers obtain information about you from details stuck on a shopping package or a shopping bill you received, and which you threw away without tearing. There’s shoulder surfing, where someone, without your knowledge, watches from behind as you key in your password. Amrin said image processing has become so good that even if the password is being reflected on a screen, and if that is captured by a camera, hackers can decipher it.
Vandana Verma, board member in Open Web Application Security Project (OWASP), a nonprofit foundation that works to improve the security of software, said hackers even look at your social media posts to get information about you that they can then use to access confidential material.
The solution is to be careful about what you disclose, keep complex passwords. “Passwords should be like toothbrushes. Never share it with anybody,” Vandana said. Organisations, she said, should also conduct regular phishing exercises for employees.
All three also warned organisations against an unplanned move to the cloud. “If you move without planning, it leaves a lot of space for bad actors. There could be many accounts, and you may not have full oversight of what is running, who all have access to what. A recent report by the Ponemon Institute found that 19% of data breaches were because of cloud misconfigurations. People are not aware about cloud security and policies around it,” Vandana said.
Amrin said a small misconfiguration could allow somebody to access something he is not supposed to have access to. “Moving to the cloud is easy and efficient, but you need to do so with a security strategy in place,” she said.
Ashwini noted that with work-from-home, VPN use has become critical. But many employees find it difficult to use VPN. Schools, she noted, may not even have VPN. Vandana said schools have become very vulnerable with the pandemic. Teachers and students really need to be trained, she said.