// by Sprocket Security in Strategic Pentesting Phishing
Remember when email spam was the "cool kid" for hackers trying to break into your system? Oh, those were the days. With cybersecurity threats constantly growing and evolving, that spam is no longer the front line of the battlefield.
Email is losing its status as the path of least resistance thanks to drastic filtering system improvements, heavy inbox monitoring and a rise in security awareness training. These days, attackers are seeking fresh bait and using new, alternate channels to lure your employees to the virtual windowless van across the street.
New phishing streams emerge
The crazy thing: these channels are right under your nose. Attackers are targeting the software you’ve likely integrated to support a growing remote-work environment, digital customer service and various automations, including:
- Chat solutions like Slack and Microsoft Teams
- Website chatbots
- Voice and text messaging
Because these channels are new(er), there isn’t much of a demand for security controls, unlike email. As a result, there aren’t many security controls in place to protect them. Attackers cast their nets and reel users in, asking them to take seemingly harmless action designed to get your employees to:
- Download malicious files
- Click on malicious links
- Disclose their passwords and other sensitive information
An out-of-the-box website chat platform is a favorite entry point for hackers. Here’s why: The ability for customers to upload files directly in the chat bot interface provides value with speedy direct interaction, but it creates a gaping wormhole for malicious files to enter your network. All it takes is one good-intentioned, under-trained employee opening one of these files from inside your office to leave your company exposed.
"Since most user security awareness training only covers email-based phishing, this is an increasingly significant problem and one we’re seeing pop up more and more," said Casey Cammilleri, principal and owner here at Sprocket Security. “It’s crucial to make sure every entry point into your organization’s network is secure."
Ultimately, companies need to frequently and continuously test for vulnerabilities across new channels using continuous penetration testing, or face the unpleasant alternative: start drafting a data-breach apology statement.
Quick guide to protect new channels
You can implement the following practices to help derail attackers:
- Disable the ability for anonymous users to share files to staff via website chatbots
- Update security awareness training for voice and text messaging, and implement text/call filtering on user devices
- Use technical controls to filter user access to malicious links and files when connected to the company network
- Disable file sharing on alternate channels, and enforce users to use company-approved file sharing mediums
- Limit users from creating shared organization channels in chat
- Never share sensitive information using chat platforms such as Slack and Teams
- Identify your network’s weaknesses with continuous penetration testing
"Some companies may think they’re staying ahead of the game by performing an annual test, but the truth is, that frequency is far too low," Cammilleri said. "Breaches happen all the time. How can you know where your current vulnerabilities are without continuous penetration testing?"
In the midst of a changing social engineering landscape, properly planned and executed continuous penetration testing can help your organization stay one step ahead of attackers. Repeated, thorough investigation of potential weaknesses can reveal your network’s Achilles heel and strengthen your cybersecurity. Want to get into the weeds, learn how continuous penetration testing can prevent attacks in these streams? Give us a call at +1 608 260 7909 or send us an email any time.
Download our free white paper, "Top-5 Ways Hackers Break Into Your Network" to go deeper, and get actionable steps your team can implement today.