Defending Against a Hack Attack

Personal social media accounts can offer a golden opportunity to infiltrate your business. An IT director shares tips on reducing the threat.
Kathleen Hurley, Madison International Realty

Kathleen Hurley, Madison International Realty

By Kathleen Hurley, Madison International Realty

In the new world of social networking, it is much easier to gain useful information about a target than it ever has been before.  Social networking is a hacker’s paradise.

The most dangerous hackers currently focus on finding accounts that lead to deep penetration of networks—which means your personal accounts can also put your company at risk.  Your personal identity can be a vector for a hacker to leverage your relationships.  Your workplace, colleagues, properties, investors, clients and friends can all be made vulnerable through your Facebook or Twitter account.

From a hacker’s perspective, finding a vulnerability on your personal accounts is a golden opportunity. Learning your passwords is just the beginning of a hack.  The bonanza comes when the hacker is able to use your personal information or social media connections (or Facebook relationships) to determine where you work, volunteer or invest. Using your password to log in to your work servers, the hacker will sit quietly, watching the patterns on the network and gathering information about the environment. Typically, hackers create what are known as lateral accounts, which enable them to get back in “legitimately” under their own logins. Then they give themselves new permissions, allowing them to access deeper levels of the network.

Once the hacker figures out where personally identifiable information is stored, or information about clients and investors, they will exfiltrate the data, accessing it with an apparently legitimate account they have created.

Trouble Under the Radar

No longer does a hack necessarily mean that your network blows up, gets ransomed or otherwise is obviously visibly compromised. It is far more likely that a compromised network will go undetected for the national average of ten months while exfiltrated data is continually mined, used to gain more footholds in more networks and sold on the Dark Web.

As a side effect, senior people in an organization will often find their personal accounts penetrated and their email accounts taken over. Consider the mayhem that can occur if the CFO of a commercial real estate management firm receives an email purportedly from the managing director requesting a wire transfer for $5 million. If a hacker sent that email, and the firm has no procedure for confirming its validity, the company could quickly be out $5 million. And because cybercrime insurance policies rarely cover the voluntary transmission of funds by an employee, there is no recourse.

Even more frightening is the potential for a hack to extend beyond its original borders. The sensitive data that exists on most CRE firms’ servers contains everything from personally identifiable information (often called PII for short) to institutional investor information, critical information on properties and even the software that allows for remote property control. Getting hold of that data, in combination with the names and email accounts of trusted CRE advisors, can help a hacker create multiple penetrations that can be extremely profitable. Getting into the controls for a building can be an opportunity to take over operations, impacting the tenants of unprotected management firms.

Safety Measures

Fortunately, most people can protect themselves from even highly sophisticated attacks by taking a few steps that require relatively little effort.

Monitor your social networking permissions. Make a monthly appointment with yourself to review and update your social networking security settings. Review those for your company accounts, as well.  The major networks are constantly updating the ways in which you can protect yourself. And while you’re at it, change your passwords.

Use two-factor authentication. Two-factor authentication is becoming increasingly common because it relies upon more than one aspect of your life to protect your account. Sites like Twitter have long offered two-factor authentication, validating access from unknown devices by calling or texting a different device. You can turn on this option in your settings.

Isolate and protect your assets. Just as using the same password on multiple sites can allow compromise, keeping your properties’ or investors’ information on the same network as your daily operational information is risky. Isolate your property systems and information, and protect each network independently.

Hang out with a good crowd. If your mom’s Facebook account is compromised and you are linked to her, you too can become a target. Help educate your friends, associates, and particularly your vendors about their own cybersecurity. Smaller firms that serve commercial properties are often underserved in information technology. Extend your resources to help them bring their systems up to par and to educate their employees.

Implement strong processes. Your critical processes need to be well defined and well documented. Wire transfers should require at least two parties to authenticate before a release. Changes in information about clients, particularly about their banking arrangements, should require at least two forms of contact with that investor. When processes are automated, ensure that there are enough controls in place that no information or funds can be released without prior human approval.

Today, your personal social networks can also affect the security of your company.  Take a few simple steps and you can safeguard both your personal activities online and your critical business network.

Kathleen Hurley is IT director for Madison International Realty, a real estate private equity firm based in New York City.