Cyber attorney warns that social engineering remains biggest threat

March 9, 2017
High-profile hacks often hinge on simple acts of deception called social engineering, writes the newly-arrived LeClairRyan attorney in a recent blog post at InformationCounts.com

ALEXANDRIA, Va. -- 3/9/17 – Forget about high-tech espionage. Many of the headline-grabbing hacks from the past few months hinged on low-tech social engineering—the use of deception to manipulate users into giving up their passwords and other data, writes LeClairRyan attorney David Z. Seide in a new post on the national law firm’s “Information Counts” blog.

“This kind of hack takes many forms—examples include security alerts from what appear to be trusted websites to update passwords, and phishing emails from what appear to be known, trusted contacts asking to download files or click on provided links,” writes Seide, a partner on LeClairRyan’s Compliance, Investigations and White Collar team, based in the national law firm’s Alexandria, Va., and Washington offices.

In the Feb. 27 post (“Cyber Security and Social Engineering: A Big Low Tech Problem”), Seide notes that the consequences of computer network penetration through social engineering have been dire for victims. He cites a prime example: the hack of Hillary Clinton’s 2016 presidential campaign.

“There, the campaign chair received what appeared to be a genuine email from Google’s ‘Gmail Team’ informing him that a Ukrainian computer had just used his password to try to sign in to his Gmail account,” Seide explains in the piece. “The email went on to say that Google had stopped the attempt, advised the chair to change his password immediately, and provided a ‘Change Password’ link. Believing the email to be authentic, the chair clicked on the link and changed his password.”

As the world now knows, of course, the new password went straight to hackers, who promptly downloaded 30,000-plus emails in the account and sent them to WikiLeaks for publication. “This hack succeeded only because hackers used social engineering techniques to trick the unwitting user into effectively giving a secure password to what appeared to be a trusted source,” writes Seide, an experienced litigator and internal investigator, who led multiple high-profile internal and financial investigations for several federal agencies prior to joining LeClairRyan last month. Those roles included leading the Department of State Office of Inspector General team that reviewed and published multiple reports in 2016 concerning the use of personal email for official business by Hillary Clinton and four other Secretaries of State. 

For the foreseeable future, he notes, low-tech social engineering hacking will continue to be a dominant cyber risk. “If anything, it is likely to proliferate across the growing and emerging technology platforms—mobile and other Internet-enabled devices (Internet of Things) and social media,” he explains.

 This is precisely why defending against such hacks requires more and better “cyber hygiene,” which Seide describes as “no different than regularly washing hands to prevent infection.” Toward that end, he offers a set of best practices for guarding against social engineering. They include ramping up education about social engineering; closely monitoring the level of security protocol compliance within your organizations; maintaining vigilance and skepticism, and engaging in timely reporting of hacks or potential hacks.

“Cybersecurity is an ongoing process that changes as fast as technology changes. And technology changes fast,” the attorney writes in the conclusion to the piece. “These suggestions are by no means cure-alls. But they will reduce social engineering risk and may demonstrate a prudent effort to address a serious problem we all regularly face.”

The full blog post is available at

https://informationcounts.com/cyber-security-and-social-engineering-a-big-low-tech-problem/

 About LeClairRyan

As a trusted advisor, LeClairRyan provides business counsel and client representation in corporate law and litigation. In this role, the firm applies its knowledge, insight, and skill to help clients achieve their business objectives while managing and minimizing their legal risks, difficulties and expenses. With offices in California, Connecticut, Delaware, Florida, Georgia, Illinois, Maryland, Massachusetts, Michigan, Nevada, New Jersey, New York, Pennsylvania, Rhode Island, Texas, Virginia and Washington, D.C., the firm has approximately 350 attorneys representing a wide variety of clients throughout the nation. For more information about LeClairRyan, visit www.leclairryan.com