#TEISS: The Jigsaw Effect – How Hackers Groom Your Staff
Speaking at The European Information Security Summit in central London Tim Wilson, CISO at Optum International, shone a light on how cyber-criminals piece together partial sources of information to construct an individual’s identity and form the basis of an attack – which he referred to as the ‘Jigsaw Effect'.
Wilson reflected on how this technique has been used in real life and just how damaging it can be, citing the example of a large breach on healthcare company Anthem in January 2015, in which some 78 million health and personal records were affected.
“In that breach, the FBI believed there was the use of the ‘Jigsaw Effect’ to identity a member of staff to carry out a spear phishing attack. What we do know, is that it was a state sponsored attack to remove as many records as possible.”
Wilson explained that the whole planning for this attack started back in February 2014, and that one member of staff was targeted via their professional and social media presence on the internet – a random jigsaw of information spread out all over the place.
“The member of staff concerned,” he continued, “was on a professional networking site, but they were also on a dating site, and also on Facebook, They were sharing lots of information about themselves in lots of different places, and somebody, somewhere, found this information and made them a target.”
His point here was that our actions on the internet, mainly our social networking activity, can put both us as individuals and our organization at risk.
So how can you protect yourself? Wilson stated this comes down to having a better understanding of your own privacy when posting personal information on the internet, and taking practical steps to ensure we do that, and whilst, in an ideal world, this would fall under the responsibility of networking service providers to keep us safer, the onus is currently with us as individuals to vet how much information we are sharing and where.
“You need to treat your online security in the same way you treat your real, physical security,” he concluded.
Source: Information Security Magazine