Cyber-attack vector? Who, me?

By Robert Tie, CFE, CFP
Some of us complain about the blurring boundaries between our work and personal lives, but fraudsters love it. Why? Because the way many of us use personal email corporate-cyber-attackaccounts and social media sites influences our approaches to working on corporate systems. However, the relatively indiscriminate sharing of personal data that so many consumer websites encourage is antithetical to the safe use of corporate information resources.

"Users are the predominant vector for cyber attacks on corporate systems," said Jim Butterworth, CFE, an ACFE faculty member and chief security officer at HBGary, a cyber-security consultancy in Sacramento, Calif. "Fraudsters know that the user is the weak link in system security."

Recent research shows how serious and widespread this problem is. In September, Symantec Corp., a maker of anti-virus software, released its 2012 Norton Cybercrime Report, which found that in the prior 12 months an estimated 556 million people around the world fell prey to cybercrime.

Responses to Norton's survey of more than 13,000 adults in 24 countries revealed that even though users were aware of the security risks they face online, many still didn't take steps to mitigate those dangers. While 75 percent of users said they believed cyber criminals focus on social networks, only 44 percent took advantage of applications that can protect them at such sites and only 49 percent use those sites' privacy settings to limit how much and with whom they share information.

When such computing habits persist at work, they can threaten the safety of corporate systems and hurt the bottom line. Another study, released in October, paints a clear, worrisome picture of how badly organizations need — but often don't have — effective cyber security programs.

The 2012 Cost of Cybercrime Study conducted by the Ponemon Institute, a privacy and security think tank, under the sponsorship of tech giant HP, found that the average annualized cost of cybercrime incurred by a sample of U.S. organizations was $8.9 million — 6 percent more than in 2011 and 38 percent more than in 2010. The 2012 report also found that the average corporation experienced 102 successful cyber attacks a week, up from 72 attacks a week in 2011 and 50 attacks a week in 2010.

It's clear that organizations — and the CFEs who serve them as employees or consultants — need to come up with effective countermeasures quickly. Sometimes, though, that's easier said than done.


Case in point: In October, a client of Butterworth's firm requested a routine assessment of its system security. During its analysis, HBGary discovered that five of the client's PCs were infected with a remote administration tool (RAT), a form of malware that surreptitiously executed commands the hackers sent it while the PC was connected to the Internet. HBGary also found that the hackers' software had been in place for more than two years, secretly monitoring the client's system and transmitting confidential information to a group that Butterworth's firm determined is located in China's Shandong province — the same region to which Google traced hackers who broke into its system in 2011.

Butterworth and his colleagues found that the RAT first entered the client's system when an employee clicked on an Adobe Flash Player link in an email he opened on his corporate PC. As he intended, clicking on that link connected him to a pornographic website. However, he didn't realize that it also connected his computer to the hackers' server, which covertly installed the RAT. The RAT then spread to four other computers connected to the corporate system, which gave the hackers mostly unfettered — and completely undetected — access to proprietary information.

The HBGary team also determined that the RAT captured the names of all drives and files on the client's system and installed a keystroke logger that recorded every key pressed by the users of the five infected PCs and a password dumper that captured users' login details. The RAT collected that information in a file that it transmitted to the hackers in China whenever they remotely commanded it to do so.

"The most effective fraudsters are the sneaky ones," Butterworth said. "Their idea of a break-in," he continued metaphorically, "is to dress up as a pizza delivery guy, knock on your door and get you to gladly carry their infected pie inside. That's how they victimized this user and so many others."

Because this scheme went undetected for more than two years, it was difficult to estimate the client's informational losses and their financial consequences. But there was little reason to doubt their significance.

Butterworth and his colleagues, with the client's approval, disconnected the infected computers from all corporate systems. They also analyzed communications between the RAT and the hackers to identify dozens of other websites under the hackers' control and set up a firewall to prevent anyone on the client's system from connecting to any of those Internet addresses.

Finally, Butterworth and his colleagues advised the client to scan all its systems for malware, to check all network and firewall logs for signs of traffic with the hacker sites to get a better sense of which and how much information was lost and to develop a plan for preserving evidence that might be useful if litigation ensues.

Despite Butterworth and his team's quick response and remedial action, there's only so much he and other CFEs can do when clients come to them for help on systems that have been infected for lengthy periods without anyone noticing. That's why preemptive policies and procedures are essential to minimize the number of cyber-attack vectors endangering your client's systems.


If there's anything that gets under Butterworth's skin, it's entities granting extensive system access to senior staff members who feel entitled to it simply because of their ranks.

"Being CFO doesn't necessarily mean you need access to every finance module in the system," he said. "Along with rights like that comes greater responsibility for security, and some executives just aren't able to shoulder that burden. Fortunately, they don't have to. A well-designed dashboard can give officers all the information they need without endangering corporate systems and information."

Digital dashboards pull summary data from various system modules and present it on an executive's desktop in diverse graphical views of business operations.

To illustrate how risky it can be for an executive to have more access than necessary, Butterworth described a case in which one of his clients — a law firm — suffered a successful cyber attack when a junior attorney unwittingly helped infect the PC of a senior partner. But, unlike the goof-off employee above, who inadvertently facilitated an attack by using a corporate PC to visit a porn site, the junior attorney was simply trying to do his job.

The trouble began when he received an email from an apparently known, legitimate source. Attached to the actually phony message was a malicious PDF attachment purporting to be a legal document of the kind the junior attorney and senior partner often worked on together — a court order for the preservation of evidence. Because neither its apparent source nor content appeared suspicious, the junior attorney opened the attachment. When its contents turned out to be unfamiliar, he sought guidance by forwarding the message to the senior partner, who also opened the attachment.

Neither had any way of knowing it, but opening the attachment executed malware that infected their PCs and spread to sensitive system modules that the senior partner had access to. As in the case discussed above, hackers were able to survey the entire system and take the type of information they were after, which, in this case, concerned intellectual property.

Unlike the earlier case, however, this was an attack that involved advance planning and research that had nothing to do with technology. These hackers were skilled spearphishers, whose precisely aimed attack sought a particular type of information accessible only to certain senior staff members of the law firm.

The hackers were anxious to not draw attention to their attempt, so they sent only one message to one carefully selected user — the junior attorney. How did they know to whom to send it? By performing extensive research and reconnaissance — much of it offline — on who worked with whom in the law firm and each attorney's kind of work.

At the same time, the hackers explored the firm's email address-naming convention. So, when the technological part of their scheme — a virus — was ready, the hackers knew to whom to send it. They also had figured out how to trick that lower-level user into persuading a senior and perhaps more cautious staff member to open the attachment and launch the cyber attack against several sensitive information resources to which few employees had access.

"Because this was the first message from this source and of this kind the firm's anti-virus software encountered, it appeared harmless," Butterworth said. "That's the inherent weakness of most such applications; the only threats they detect are those that have appeared previously; they can't detect new ones. The best way to protect corporate information from them is to limit access as much as possible without reducing productivity. CFEs should educate their clients and employers on the security virtues of executive dashboards, which provide only that information a staff member truly needs. If an executive resists the dashboard approach, I pose two questions: One, if your computer or account were compromised, what information would that give the hackers access to? Two, are you willing to accept that risk on behalf of the company? Personalizing it like that gets their attention."

Butterworth said hackers try to deduce prime email addresses for helping malware reach recipients by sending trial-and-error test messages. So, he said, CFEs should advise their clients and employers to make their email addresses less predictable and to fine-tune the security settings on their servers, which can suppress the granularity of information returned to senders of undeliverable messages.

"If a hacker guesses wrong on an email address, have the server simply reply ‘Message not deliverable' and suppress the server name," he advised.


"When users find out that hackers targeted them, they say, ‘These people somehow found my information on the Internet and decided I was going to be their cyber attack vector to carry out fraud?' " Butterworth said. "That's a very sobering realization."

Butterworth said that CFEs can try to persuade corporate leaders that the next cyber-intrusion headline might be about their organization by focusing on the consequences of a data security breach.

"Executives sometimes are more mindful of the expense and inconvenience of data security policies and procedures; they forget how much they've invested in research and development and how much intellectual property the organization has amassed," he said. "So, remind them: When that gets pilfered, their company itself has been stolen and moved overseas."

Robert Tie, CFE, CFP, is contributing editor of Fraud Magazine and a New York business writer. 

Read more insight and discuss this article in the ACFE's LinkedIn group.

The Association of Certified Fraud Examiners assumes sole copyright of any article published on or ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be emailed to