Hackers are always looking for a weak link into an organization's systems, ideally one that leads to lots of valuable data. Because of their access to highly sensitive employee information, human resources departments provide an attractive target.
"HR has the keys to the kingdom," said Stu Sjouwerman, founder and CEO of security software and training firm KnowBe4 and author of the book CyberHeist. "While network administrators can get into the entire network, HR people have access to all employees, payroll and healthcare, but are generally are not so security conscious."
Gameover ZeuS Malware
This concern was brought to the forefront recently with the Gameover ZeuS attacks. Gameover ZeuS is a Trojan based on ZeuS malware that has been capturing banking data since 2011. A key factor distinguishing it from the original ZeuS malware is that Gameover ZeuS uses a peer-to-peer structure rather than a central server, making the bot networks harder to kill. Earlier this year, enterprising hackers started using Gameover ZeuS to target HR.
"Particularly in organizations with a lot of technology in place, HR is becoming a bigger target for social engineering," said Sjouwerman.
Hackers use recruitment sites like CareerBuilder and Monster as the attack vectors. Spear-phishing is used to obtain access to a workstation to install Gameover ZeuS. The malware operates similar to a keylogger, capturing information from website forms, including grabbing usernames and passwords.
Step two involves getting employees to give out additional information that is needed to take full control of the CareerBuilder or Monster account. One technique involves injecting a new sign-in button into the log-on page, which takes the person to a form containing a set of security questions for the person to answer to verify their identity. These pages appear identical to the actual CareerBuilder and Monster pages.
"The bad guys are implanting phantom employees to cash in on payments to these fake identities," Sjouwerman said. "Further, if the HR account is tied to a bank account and has a spending budget, it's a target for banking Trojans."
Hacking, Human Resources and the Human Factor
Gameover ZeuS is one of the latest means of targeting HR, but it's far from the only one.
"The odds are high that a company will be breached from the inside," said Humayun Zafar, assistant professor of Information Security and Assurance at Kennesaw State University in Georgia and author of the security chapter in the textbook Human Resource Information Systems, Third Addition which was published earlier this year. "Insider attacks account for probably 70 percent of attacks."
While companies may have all their firewalls, antivirus and intrusion prevention systems in place, it isn't enough. Zafar said that information security is 20 percent technical and 80 percent managerial. The technical aspects of protecting HR systems are no different than protecting any other type of IT systems. However, those setting up and using the systems are usually more interested in people than computers and love to help. This makes them an easy mark, and so they need extra protection.
"HR people should be trained not to fall for social engineering and their workstations should be given extra protection," Sjouwerman said.
It is particularly important that HR professionals receive thorough security awareness training, not only to keep from falling for a human-engineering attack themselves but also because others in the organization are likely to follow email or phone instructions that seem to come from HR.
"Part of our education process is helping the HR departments learn how to communicate with people so it doesn't sound like a phishing email or a phone elicitation call," said Chris Hadnagy, CEO of Social-Engineer, Inc. and author of the book Social Engineering -- The Art of Human Hacking. "That way employees can more easily recognize when something is a little bit fishy."
His company tests employees by phoning them or sending them emails, frequently pretending to be from HR. Last year, for example, he used the advent of Obamacare as a way to reach out to employees.
"By saying we are with the HR department, we had a success ratio of 67 percent when we asked people to give us their full name, data of birth and Social Security number, he said. "The reason people fall for it is that people are expecting those kind of communications from HR."
Human Resources Security Tips
In addition to phone or email phishing attacks, there are a few other common security gotchas that HR needs to be aware of:
- Do not post individual HR email addresses online in recruitment ads or giving them out over the phone to people wanting to email resumes. This gives hackers the format for internal email addresses and also identifies a particular HR person’s email that can be spoofed in sending out malware or phishing emails to other employees.
- Be wary of "applicants" bringing in resumes on infected USB drives.
- Ensure proper security settings are in place before uploading files with confidential information to a cloud service.
- Make sure HR data protection matches the requirements of the countries where employees work, as well as countries where data is stored.
- And, the most important factor: Train HR staff in at least the human-engineering aspects of security and test their security awareness throughout the year.
"What doesn't work is training them once a year in a break room where they are shown a few slides and told not to click on bad links," Sjouwerman said.
Drew Robb is a freelance writer specializing in technology and engineering. Currently living in California, he is originally from Scotland, where he received a degree in geology and geography from the University of Strathclyde. He is the author of Server Disk Management in a Windows Environment (CRC Press).