The Problem With Corporate Email Addresses on Social Networks
SecurityScorecard Finds Grainger Susceptible to Social Engineering
In a July 14 press release, the B2B industrial distributor, W.W. Grainger reported that it had experienced a security attack. The company stated in this press release that there was “no evidence there is any impact to customers, suppliers or employees because there is no indication that information such as social security numbers or government identification numbers, banking information or credit/debit card information have been compromised by this incident.”
After learning of the attack news on Grainger, a quick look in to the SecurityScorecard platform found several key security issues. While the company is showing strong ratings for application security, DNS Health, and patching cadence, our data points to some weaknesses and security-risk problems with legacy systems, but with a high probability of breach area.
“Grainger is using antiquated legacy Classic ASP and ASPX software on their multiple web applications, and it appears they are having problems with malware going back for several months,” said Chief of Research for SecurityScorecard, Alex Heid. “The biggest issue for Grainger, however, seems to be the use of corporate credentials on social networks. This allows for attackers to create a direct line of communication for spear phishing attempts, and create a much easier attack vector to deploy malware to corporate employees.”
When an attacker is spamming a malicious link or payload via email, there is a chance that the link and/or payload will be quickly blacklisted by automated antivirus email spam filters, Heid explained.
“When an attacker is directly connected to their target on a social network, however,the risk of having their links detected as malicious is much, much lower if used properly,” said Heid. “An attacker that is able to directly communicate with their targets on a small scale via direct messages or posts is able to leave a much smaller footprint as compared to to the ‘spray and pray’ methodology of bulk email phishing attacks.”
The Information in Data Breach Notifications Vary Widely from State to State
With sales of $10 billion in 2014, Grainger sells a wide range of products including maintenance, repair and operating supplies across the globe, and has been in business since 1927. Grainger, who ranks #290 in the Fortune 500, reported limited information in a press release about the security incident. The company stated:
Grainger’s IT security team discovered that the company was the subject of a cyberattack and that the intruders were able to access limited information on Grainger’s network. In response, Grainger immediately began following its cybersecurity protocol by working with leading cybersecurity experts to investigate the situation; implementing enhanced security measures; and quickly notifying law enforcement officials.
Why is the information that Grainger provided so limited in its detail? State law. Data breach notification laws in the U.S. are becoming more and more specific about the timelines for notification, but vary widely in the actual information required to be communicated. In Illinois, the law says, for example, that “[t]he notification shall not, however, include information concerning the number of Illinois residents affected by the breach.”
A bill that is in front of the U.S. Congress wants to make a Federal law for data breach notifications to consumers, employees, and the general public set at 30 days. The argument for a Federal law was recently examined by The National Law Review:
Many consider the matrix of state laws to be confusing and a barrier to a streamlined notification process that a uniform federal standard might bring. There is some merit to this. For example, the notification law in Massachusetts prohibits businesses from describing the circumstances of the breach in the notification letter. However, the notification laws in many other states require the letter contain a brief description.
While the information relayed in Grainger’s press release may be limited, the company made it very clear that it is providing 12 months of free credit monitoring and identity theft services for any customer who wants to take advantage of it.
SecurityScorecard’s social engineering module is one of ten security categories. It ingests data from social networks, public data breaches, and blends proprietary analysis methods. The score is calculated based on the quantity of indicators that appear in our collection sensors. We determine whether or not corporate credentials are in use on social networks.