The Insider Threat of Vishing

To:

From:

Date: 4/20/2022

RE: Insider Threat – Vishing

BLUF (Bottom Line Up Front)

A vishing attack is a major insider threat that could result in losses of billions of dollars for an organization because of unauthorized access to corporate systems. Multi-factor authentication mechanisms are the most effective approaches to prevent vishing attacks because they provide a wide range of security tools for an organization.

Background

Insider threat is one of the common issues in the corporate and intelligence world. While it is often a high priority for senior management, the existing definition challenges have made it difficult for many organizations to identify and resolve this issue. According to the National Insider Threat Task Force, insider threat refers to the threat an insider poses to the U.S. national security when he/she uses his/her authorized access knowingly or unknowingly to do harm (Cybersecurity and Infrastructure Security Agency, 2020). However, insider threat extends beyond risks posed to the U.S. national security because it occurs in the corporate and intelligence world. It can include everything from forgetting to lock the computer. This essentially means that an insider threat is a security risk emanating from within the targeted organization through the intentional or unintentional acts of its internal stakeholders.

This organization is facing the risk of vishing, which is a security risk that falls under the general phishing attack. Vishing is a security risk that is carried out against the targeted organization to obtain sensitive information that could be used for identity theft or financial benefit. It entails the use of fraudulent phone numbers, text messages, and voice-altering software to trick users into providing sensitive information (Pangaro, 2020).

As the organization continues to rely on technology, vishing remains an insider threat that could compromise its effective operations and success. If any internal stakeholder in the organization answers a call from a fraudulent phone number, he/she could provide cybercriminals with sensitive information that could result in huge losses. A successful vishing attack could give cybercriminals access to sensitive customer data, financial assets, systems, files, and trade secrets. If an internal stakeholder in the company participates in a successful vishing attack wittingly or unwittingly, the organization could lose at least $58,000. Pangaro (2020) notes that a successful vishing scam results in losses worth multi-millions of dollars annually while the average cost for small businesses is $58,000.

Vishing attacks remain major insider threats for the company given that nearly 76% of businesses suffer from this risk each year. Therefore, the company needs to develop a suitable framework to prevent and deter this form of insider threat. By establishing a proper prevention and deterrence framework, the company would lessen the risk of huge financial losses and operational disruptions associated with it. In essence, the company could save more than $58,000 by creating a strong framework to prevent and lessen the vulnerability to vishing attacks.

Analysis of Options

The prevention of vishing attacks requires a company to develop appropriate protocols, procedures, or policies to enhance the security of its systems. Existing examples of vishing attacks show that anyone with access to an organization’s systems is a potential insider threat. Therefore, organizational policies, procedures, and protocols help to lessen the threats posed by internal stakeholders with access to systems.

One of the potential solutions to preventing vishing scams for this organization is establishing multi-factor authentication (MFA) mechanisms. MFA involves adding an extra layer of security that is required to grant access to a system. Using this mechanism, a user is granted access to a system only after successfully providing various separate pieces of evidence. Nwabueze, Obioha & Onuoha (2017) state that MFA can be in the form of knowledge (something the user knows), possession (something the user possesses), or inherence (something the user is). An improved MFA requires the user to provide at least three various authentication factors to be granted access to the system or resource he/she is seeking. The second probable solution is restricting virtual private network (VPN) connections, which creates a secure channel between a trusted network and a remote computer (Jang-Jaccard & Nepal, 2014). When using this approach, the IT department or professionals check installed certificates on the system and ensure that corporate systems are only accessed by authorized users. In some cases, IT professionals restrict VPN connections to a specific time of day to prevent overseas attempts to access corporate systems. Moreover, VPN connections can be restricted to managed devices only through mechanisms like installed certificates and hardware checks. In such scenarios, user input alone is not adequate to grant access to corporate hours.

MFA mechanisms and restricting VPN connections seek to add extra layers of security to systems. Both approaches create additional layers of security to user input to help ensure that only authorized users are granted access to corporate systems. In addition, both measures can restrict access to managed devices only, which implies that scammers would still be unable to access corporate systems even when they have sensitive information. However, MFA seems to have more layers of security or protection than limiting VPN connections. VPN connections can be restricted to managed devices, time of day, and monitoring access through installed certificates or hardware checks. On the contrary, MFA mechanisms give a wide range of tools to plug holes into a scammer’s attack surface. Some of these tools include checking IDs or state licenses to determine the authenticity of the user, picture matching, knowledge-based identification quiz, device assessment, and biometrics. In addition, while VPNs are only for connections and cannot prevent unauthorized access to a system physically, MFA mechanisms offer protection against attempts to access a computer system physically.