Imagine my surprise to find identity – and insider threats – at the center of the best-selling crime novel The Girl in the Spider’s Web. In this the fourth installment of the Millennium series authored by David Lagercrantz, our heroine, Lisbeth Salander, uncovers fraudulent ties between a criminal syndicate, the National Security Agency (NSA), and a large technology corporation. And here’s where it gets interesting, she uses phishing attacks targeted at IT administrators to gain rogue access to these organizations, to discover their illicit dealings, and to trick her adversaries.
In one chapter, Salander studies a psychiatrist’s social media activities, then uses knowledge of his charitable work and hobbies to send him fake, but believable emails with malware embedded. Once the doctor clicks on one of the fake emails, Salander is able to gain access to highly confidential files. She even uses these tactics on the NSA:
“They began as usual with social engineering. They had to get the names of system administrators and infrastructure analysts who held the complex passwords for the intranet. It would not do any harm either if there was a chance that some careless oaf was being negligent about security routines. In the end she used the identity of a man named Tom Breckinridge to penetrate NSAnet … now she was on her way to Active Directory – or its equivalent – to upgrade her status. She would go from unwelcome little visitor to superuser.”
At first I chuckled when I read this, but upon reflection, I think it’s important to take stock of what’s being portrayed. This is not futuristic fiction, and it’s definitely not super-spook, spy vs. spy trickery. Unfortunately, the methods used by Lisbeth Salander are all too common in the real world. In fact, they are exactly the same tricks used by hackers to steal millions of confidential records from Target and the U.S. Office of Personnel Management (OPM). And the victims in these cases were not criminals or spies, but ordinary citizens.
The book describes what SailPoint is talking about: the new attack vector is the human vector. The book provides a not-far-fetched example of what IT organizations face on a daily basis – in both the public and private sector. Fortunately, you don’t need a best-selling author of fiction to provide a solution. In order to prevent data breaches and detect criminal exploitation, organizations need to start with the identities of their employees, partners and contractors – because identity is everything when it comes to protecting sensitive information from attacks that are becoming all too common.
Want to hear more about why identities are everything when it comes to data breaches? Join us next week for a live webinar (more details here).