Most Dangerous Attack Techniques on Consumers and Enterprises and How to Protect Yourself

Good morning everybody. Well, thanks for staying back and listening to this session. I have only 15 minutes, so I apologize for the speed with which I'm gonna go through this. I'm doing this for the last 25 years, and I've thought of this presentation keeping in mind that all of us here are employees of a company, but when we step outside, we become a consumer. And I'm seeing again and again that a lot of people, hackers always attack the weakest link. And the fun thing is when are we weak?

When we are most vulnerable and some of our vulnerabilities are exposed when we are outside, when we are browsing online for a good deal, when we are, you know, trying to date somebody when we are. So that's when the consumer part comes out. And when the consumer part comes out, may, we may become vulnerable. That vulnerability can be exploited there. And from there you will see, I'll show a technique from there, how your enterprise can be attacked. And I've seen this, you've heard of a large attack happening.

I'll, I'll come to that later. Right now, what we are seeing here is a lot of consumers, they're trying to date somebody.

There's a, they're trying to get a job. And I thought of an interesting point, which is, servers have vulnerabilities and we patch them. And so does humans. Humans also have vulnerabilities. Everybody who's looking for a job, everybody who's trying to date, everybody's trying to get a great deal online. That can be a vulnerability and can be exploited, especially if you are under stress. So I'm gonna show you, and you, you're hearing all these, these news articles, they're appearing every, every, every now and then.

One very popular tool that we use every day, Instagram, how, or show of hands, how many of us use two FA on Instagram today? Fantastic, fantastic. So there was a question of two sessions up online directories, and can that be hacked more?

Yes, it can be hacked more, but a lot of these big companies, Google, Instagram, LinkedIn, all, all these, they have put in large amounts of money into putting security frameworks. But all of us have to use it. We are not doing most basic stuff.

They, we have MFA on link, LinkedIn, Instagram, Facebook, we use them every day, but nobody realizes that we must be using MFA. And I'm gonna show you an attack in, in a, in, in a couple of minutes. We are not using MFA how that, so how that impacts, so this is an Instagram.

We get a, like from somebody. We've, this person says, oh, wow, that looks a like a pretty face. Let me follow her.

And they, they start chatting. And more and more we are seeing that these chats are going from Instagram into Telegram. And you would've thought Telegram wanted to be competitive for WhatsApp, but it ended up being a very good tool where anonymity is maintained. And you can go do video chats. You know this, this person clicks on a link and says, yeah, and Myra das wants to have a very personal chat with this person. And she says, okay, can we do something more personal and and intimate? And he says, wow, this is my day. I'm feeling lucky.

So, and he shares some pictures and some videos, which is recorded and very quick, very soon, this turns out to be the biggest mistake of his life, because now the person is saying that I'm going to, this is extortion and I'm going to post all these pictures and videos to your friends. But the question is, how did that person get access to the friends?

Well, who, we have so many friends offline, so few friends, but all of us have thousands of friends online. We are accepting requests from everybody whether we know them or not. Why are we doing that? Because we want to increase followers. Somebody looks, someone looks pretty, they, if a hacker wants, they will record you. And they have access to all, all our per all personal information. And the funny thing is, we are so gungho about GDPR make it everything private.

Well, laws are not going to make it private. Somebody has to change the thought process.

Say, Hey, if I don't know that person, I'm not going to make him my online friend because that I've given a lot of information. I'm posting pictures. Where am I traveling anyway, so this can lead to a, a big, big issue. So let's look at an advanced attack. What happens, what I'm trying to demonstrate here is how many of us pay attention to links? We click on links every day.

I mean, the company might have given infrastructure and, and software in place. So, and, and education. Don't click links when you are in the office. But when we go home, we are clicking links every day and, and all the reels there and really engaging. So this person does the same. He clicked on an Instagram link that was a man in the middle attack that was happening. You are in, you are entering, you are thinking that you're logging into Instagram, but there's a proxy in in between. And this guy is able to see every detail that you're typing in, including your user ID password.

What, what can result as a, as a result, you can be extorted, loss of reputation, mental stress, big deal. It's, it's all a big deal. How to prevent, I mean, I would suggest don't accept a friend request from unknown people and profiles that are too good to be true. They are probably that deals that are too good to be true. They are probably that and they're not.

They're, they're false. I see a lot of requests coming in on dating apps, but there are so many spelling mistakes and grammar mistakes. That's a clue. It's not a real person. Your most vulnerable when you are under stress. So I would suggest don't take hurried decisions, lock your profiles so that anybody, I don't know how many of us lock our profiles. It's a simple feature that a lot of apps provide. Only your friends will know what all is in there. And last but not least, please enable MFA. It's a very simple technique.

LinkedIn, Instagram, Facebook, all these apps have spent millions of dollars into building in the security framework, but all of us have to use it. Enable MFA. And one last thing, which I did not mention here, is all of us are attending a security conference specifically on identity. So we are already well aware and attackers don't attack aware people. They attack unaware people. They attack the weakest link. And who is the weakest link?

Your kids, your neighbors, your parents, your relatives. Go call them, educate them. What's happening outside? All of us coming to an identity conference, all of us are already very well aware, but they will not be attacking you, but they will attack somebody, you know? So my suggestion is, if if we call five people and they are more educated, then that's better for all of us. I'm gonna show you how, what happens in an enterprise. So you have heard about generally the, the hackers go after doing a Doss Doss attack, DDoS attack phishing these days they're doing a lot of ransomware attacks.

I'm hearing that a lot of ransomware attacks are available as a service now. So more people can actually conduct their attacks. So it's not a question of if they're going to attack your business, they are going to attack your business. It's a question of when. And there are simple things you can do to prevent a ransomware attack. And one of the simplest thing you can do is take a backup and make sure it, you can be, it can be restored. How many of us actually backup up and actually test the restore? The restore is happening and is it, is it timely? So we don't do that.

So that's, that's a very, very simple thing you should do. Enabling MF is one. I'm gonna show you a very interesting attack. There's not much time to go into this, but you are, you are looking at attacks on, on infrastructures which are, which spend way more than, than probably what your company spends, but they are still being attacked. And a very interesting attack that happened very recently to a vendor that is demonstrating upstairs named Rhymes, rhymes with orca.

You would notice that this employee, he was actually just browsing and using his personal laptop for accessing his personal email, which is probably most of us. We do that. And when Chrome says, you know, do you want me to save your username password? I would say, yes, I don't wanna log in every day.

And, and this guy did the same thing. He said yes, and using the same laptop, he's now logging into his enterprise system. Now the problem is that his enterprise stuff is also being saved un under the same profile. And if I showed you that Instagram link thing, man In the middle attack, if that attack happens, then the person now has access to not only his personal Gmail user ID password, he also has access to his enterprise user ID password. Just because it is being accessed from the same device, same, same browser.

Now, it may seem like nothing but what hap what, what a, what a hacker can do with it. And what a hacker actually did, and you've heard all of this in the news, is the person, the hacker was able to use all this information to log into the actual company website and he got access to a ticketing system. This is an actual attack that happened. And in the ticketing system, he saw that there are session IDs that are being saved and session ID who would not like to, it's a, it's a dream come true for the hacker.

If you are looking at seeing these confidential logs and, and getting a session id, he took that session ID and then he conducted a supply chain attack to all these people. Now, a simple password hack turned into an enterprise attack, turned into a supply chain attack, all because that, that guy was simply trying to use the same office laptop for accessing his personal Gmail, use the same thing, which did not have MFA. And then he used the same profile to log into his enterprise account.

And now this hacker has access to all these, thankfully all the stuff that you've been hearing, ITDR, these companies had an ITDR. So they told Orca orca that, you know what, something fishy is happening.

So, and that's how this was revealed. This became a major news and quite an embarrassment for an identity vendor to, and you can't protect your own own stuff.

So why, what all you can do, how to prevent all this. You can, it can be done in s several ways. It can be done through education, it can be done through controls. The controls can have, don't allow personal logins. There's a security broker in place. You can have that. You can enable MFA on portals with sensitive information. You can set up an ITDR just like the, the ones who, who figured this out. You can ask your suppliers to enable SSO and MFA that's important. So that's about it for the consumer as an enterprise.

But the one, one thing that I, that's very close to my heart is you come to a conference and you see overlapping products and it bothers me. How will somebody figure out which product to pick? There are so many products that's heavy lifting. So I put in a few slides for this as well. And I feel that if you are a traditional small business, what I mean by a traditional small business is I go to office and I work like, like it used to happen 10 years ago and all my systems are in the office. I access them there and then I go home. No systems are outside. Nobody's accessing it from outside.

Small. You need to do something for your employee identities. Too many passwords make them one single sign-on IM system SSO system. You need to do something for privileged users who has too many, too much access.

Well, identity threat, I mean insider threat is a real thing. I, in my company there are 500 people and my 10 super senior people have access to pretty much everything. They have access to good id, my website, my Google apps, my AWS application. If that goes down, you know, my reputation, everything's finished. So that's a real, real threat. Even if you're a small, small company, I suggest you have an I am and a PAM system in place. What if you are a medium business?

What I mean by medium businesses, some people go outside, which means some devices go outside as long as, so that means access from outside is important, which means you need VPN, which mean, which means you should have MFA or VPN over VPN. Simple. But not too many people go outside. What if you, you're a large business or a government institute which wants to do security for every employee in there. Too many people are going outside with their devices. You need an MDM solution. You need a device management. You need to be aware of data leakage and you need to do something about, about that.

You need to do threat detection, which is the the thing at the bottom. What if you are an online small businesses, all businesses these days, they're small, they're coming up, they don't have money to have a large network installed inside and then, then, then do business.

They, I started stuff on online, meaning my emails are on Google apps and that's how small businesses start. You will need, since access is from anywhere, you will need SSO and Pam. You'll need a security broker because security broker is something very important because all your identity systems, they take care of your first access. But what about subsequent access? I can log in from office, take my laptop home, I can do stuff there, I can download stuff there. You need a casby there and large.

Last one, but not least, if you're a large consumer facing website, you need redundancy. Database is redundancy, load balancing firewall and all that stuff. So that's about it. Protecting your identities of paramount importance, not this is a identity conference. You guys are here for learning about identity. I hope I do not waste too much of your time. If you have any questions, I'm outside and also on the sea floor, please come seek me. Thank you so much.

Great, thank you.