April 16, 2019
Security

Anatomy of an Attack: An evil twin joins an accounting firm

This is a series designed to illustrate the impact of data breaches on different types of businesses from the perspective of key stakeholders at those businesses.

In this first installment of Anatomy of an Attack, we begin with a look at how clients’ private files were stolen from an accounting business by cybercriminals due to a mix of social engineering, malware, and human error.

The scenario‍

I never realized that a 3:00 a.m. call might actually wake me up at 3:00 a.m. On the early morning that I rubbed my eyes open and picked up my smartphone, which wouldn’t stop ringing, I heard my upset business partner utter, “An attorney at our biggest client just informed me that not only have their bank accounts been hacked, they believe that we are to blame. Actually, they said they know we are to blame.”

My first thoughts were to deny any fault: how could we possibly be to blame? A few months ago, I had hired an IT firm to build a fortress of cybersecurity around the workstations and three servers in our main office. We had strengthened our cybersecurity stance with more sophisticated firewalls, longer and harder-to-crack passwords, and granular access controls. The only way that a hacker could have possibly gotten access to the server partition where our client’s banking information was stored would have involved using either my business partner’s or my password to open the files. The only other person with access to our passwords was our loyal assistant of over twenty years.

The improvements in our cybersecurity had coincided with a major step we’d taken at our accounting firm to acquire a practice with more than 15,000 new clients: a mix of individuals, consultants, small businesses, estates, and a good number of S corps. My intention had come from a desire to do the best thing to protect the firm and my staff of CPAs, clerks, and assistants. I’d feared that in accessing and downloading thousands of client files from the acquired firm, we might be exposing our systems to who knows what, including malware and viruses.

A few hours later, I called a high-priority, all-hands meeting in our office and announced the terrible news to everyone. A PR consultant and attorney were present to provide guidelines for what we should and shouldn’t say to anyone outside of the office. After the meeting, my business partner and I rushed to make a call to the IT firm that had installed our new cybersecurity tools.

“Nothing shows up on your incident log,” the IT firm told us, “Penetration tests show nothing wrong. All we see is that you were the last user to open your clients’ folders. In fact, you opened all of them, including folders containing images of banking and financial forms.”

“Impossible,” I said with a deep frown, “I haven’t touched those folders in months.”

Next, my business partner and I confronted our assistant, not expecting to be shocked by our assistant’s response to our accusations, “I don’t understand. You emailed me last week to give the credentials to open those files to the Vice President of IT at the acquired accounting firm. You said he was conducting a search for missing files and that it was urgent he find the files immediately.”

I watched with disbelief as our assistant thumbed through emails on a smartphone to show me where someone posing as me had indeed instructed our assistant to reveal the password to open our largest client’s banking files. As I turned away from the smartphone, I said shaking my head, “There is no Vice President of IT at the acquired firm.”

 

The investigation and results

An investigation after the incident reveals that a cybercriminal likely targeted my accounting firm for a cyber attack during a particularly haphazard, chaotic time of change management. At the beginning of the investigation, I realized that I knew little about what actually is involved in a cyber attack. I was surprised to learn that “social engineering” is responsible for many data breaches. We were next-in-line for another “social engineering” cyber attack in which a cybercriminal poses as an executive to conduct malicious activities.

Our assistant, like every employee in my firm, including my business partner and I, sometimes mixes business with personal activities on a smartphone. This BYOD (Bring Your Own Device) trend is not going away anytime soon. We are tied to our devices and BYOD actually helps to enhance productivity. Apparently, our assistant had downloaded a piece of malware thinking that it was a legitimate app. Unfortunately, it’s no longer a question of if you will be hacked, but when you will be hacked.

It didn’t take the hacker long to send a fake email message posing as me: my assistant often sends emails on my behalf from a computer or smartphone. So just one fake email is all it took for the hacker to trick my assistant into forwarding credentials to open private banking files worth millions of dollars. But beyond the monetary losses were the intangible losses to my accounting business: loss of reputation and employee attrition. Several CPAs departed, believing that business would decrease for the firm and additional targeted cyber attacks could be imminent.

The Atakama difference

Desperate, I decide to encrypt all of the private files for all of my accounting firm’s clients. After pouring a great deal of thought into this top-priority decision, I decide to encrypt files with Atakama. I had read about Atakama as breaking the mold with a new approach to cybersecurity that really fits well with SMBs and our need to continually maintain sophisticated cybersecurity for private files without a CISO or dedicated IT security team on staff.

Before Atakama, we believed that we were safe behind our “fortress” of cybersecurity and it never occurred to us that we needed to think about a backup plan. I now realize that there are many ways or attack vectors for a dedicated cybercriminal to break into any system and breach our private files. Our deployment of Atakama was not just to protect our clients’ private files, but to completely thwart cybercriminals from even thinking about hacking my accounting firm ever again.

Today, we protect all of our clients’ private files (and plenty of other business critical files) with Atakama. It’s installed on all of our Windows and Mac laptops and workstations and works with the mobile devices for all of our employees. One of the reasons we picked Atakama is that it doesn’t need an IT team or extensive training, it just works. Nobody has to remember any extra passwords and everyone knows how to save or drag files to a folder to protect them. How come the big tech companies haven’t made encryption this easy?

I sleep a lot easier now knowing that files protected by Atakama stay encrypted if a cybercriminal or other unauthorized user tries to open them. In fact, there’s only one way to open the files: instead of entering passwords, employees respond to a push notification sent to their smartphones. The team from Atakama explained to us how our protected files aren’t just encrypted, the keys that are required to decrypt and open our files are broken into shards that are automatically put on our mobile devices. When I or one of my staff respond to an Atakama push notification, what we’re doing is allowing the software to temporarily rebuild the key in order to open the file.

If cybercriminals were to steal our files protected by Atakama, they would only be able to download worthless, encrypted nonsense. We also now know to be on the lookout for unusual file approval requests. If it’s long past tax season and my business partner or I get notifications from Atakama at 2am, we now have an incident response plan to determine whether a hacker has breached our system or if someone at the office is burning some midnight oil.

Most importantly, we now have a next-generation cybersecurity tool that tells cybercriminals: “Move on, nothing to see here.”

background cta