“Gone Vishing” – Preying on WFH new hires

And it’s September. What is there to talk about? The kids are starting to head back to school (depending on your location, perhaps they won’t be), and as Aaron noted in his most recent Enterprise Dish episode (embedded below), we’re nearing the start of a mad rush to get things done before the holidays and the end of the year. There’s another Patch Tuesday (like always), and Microsoft has made some changes to app containerization plans, including some major revisions to features that we’ve written about previously. As fascinating as I found the minutiae of this plan, I don’t have much to say about news of this sort until the final version of Windows 10X is actually released, since this is an area where plans have been in flux for a while.

Gone "Vishing"

WFH new hire security concerns

So instead, I want to talk about “vishing.” You can watch the entire episode below, and you will not find Brad or Aaron using this novel (and completely made-up) word. What you will find is Aaron’s lengthy response to a viewer question about how the process of hiring new employees has changed for Prowess and SmartDeploy during the pandemic – in last month’s blog post, I casually referred to this as “an interesting security challenge.” What I meant at the time was that hiring people without being able to meet them in person exacerbates the challenge of identity verification and security vetting. Aaron did discuss how the hiring process has become more drawn-out – more interviews, more internal discussions, more third-party verification and testing, etc. But ultimately, at some point, management must make a judgment call about whether to ship this person a device (which will be managed by our organization’s security policy) and give them access to our corporate network.

Following that decision, Aaron also mentioned a novel tendency that the most successful new hires have had since the start of the pandemic: They will tend to put themselves out there, both within and outside of their respective teams, to attempt to duplicate some of those natural team interactions that would have previously happened in the break room or water cooler in the before-times. This is useful as a matter of sanity and team cohesion (and indeed, I’ve had occasion to chat with several of our new hires in the course of my work on the SmartDeploy Support Team). But I would also submit that it’s useful on the organizational security front, and any existing employees would do well to get chummy with the new hires. It’s the right thing to do and makes them feel welcome and do their jobs better, but it’s also one of the best ways to keep your organization safe against cybersecurity threats.

We can patch against zero-day vulnerabilities (indeed, Microsoft patched two of those this month), but it’s a lot harder to sneak into someone’s neighborhood to cause trouble if you’re friendly and comfortable with the neighbors. And to step out of the metaphorical: you can’t patch against social engineering hacks – you can only train for those and encourage your company’s culture to be resilient against them.

What is “vishing”?

Which brings me to vishing, the silliest-sounding threat that I’ve ever been sternly warned about by both the FBI and CISA (via KrebsOnSecurity, who first reported on the issue). Vishing is a portmanteau of “voice phishing,” wherein determined threat actors target new employees of a company posing as a member of that company’s IT department, in an effort to get them to go to a detailed and personalized phishing page, branded with the target company’s logo and disclaimers, in order to get that person to punch in their company credentials.

This attack has had an alarmingly high success rate compared to an email with a dubious link (people have gotten a bit better at ignoring those), and it’s easy to see why. The attacker will often pretend to be a new IT employee themselves, which is both a hedge against making minor factual errors, and a frequently-effective ploy to evoke sympathy and compliance from their would-be victim. Once the attacker has the employee’s credentials, they use them to connect to the corporate VPN, and then they can attempt to spread out further into the company’s network. The hapless new employee is just the part of a vastly expanded attack surface. If their company is following the principle of least privilege, their access should be limited to what is required to do their current job. But once the attacker gets in, they can look for other ways to expand their access and steal other credentials, or they can just sit back and surveil what activity occurs ordinarily on the company’s network, which can improve their chances of success in subsequent phishing operations.

It’s diabolical, isn’t it? And it preys on the very things we crave most during the pandemic, both generally – human interaction and socialization, and specifically – a desire to make a good impression, pick up institutional knowledge, and be helpful when joining a team you’ve never met, in a workspace that’s 20 feet from where you sleep at night, and where you can count the seconds until your next interruption. It’s a hard problem to solve. I can offer all kinds of tips on how to design your security environment, but I can’t make a company’s team more cohesive. The team has to do that themselves.