How Agencies Get Hacked

As an IT professional, I constantly stress the importance of training staff how to recognize security threats. The response I most often receive is “We teach our people not to click links, so we’re fine.” But security threats go far beyond the mailbox. I have seen several recent successful attacks that were executed using nothing more than publicly available information and industry knowledge.

Let’s assume, for a moment, that I am a hacker looking to do bad things. Here’s how I could use a combination of easily attainable information and industry knowledge to compromise an agency.

First, I’ll start with a little reconnaissance. Many agencies publish email addresses, direct dial phone numbers, and carrier appointments on their own websites. By using the agency’s website, I can gather a list of employees, learn the agency’s organizational structure, and find the carriers they represent. The agency website may contain a link to a client portal that will tell me the vendor they use for their Agency Management System. If not, most agencies use one of two providers, so I can make an educated guess. I will use this information to craft a plausible story, and then call employees directly:

“Hi Bob, this is Frank calling from support. I’ve been working with on a issue, and we’ve noticed multiple logins from your account. Given the amount of security incidents we’ve seen lately, I just wanted to make sure there’s not an issue. Would you mind getting me connected to your computer, so I can check it out?”

Once an employee lets me in, I will have access to a great deal of information. Under the guise of troubleshooting, I will extract a copy of the user’s documents and mailbox, so I can review the data at my leisure. I will find configuration files, unique software installers, and remnants of a data conversion that will expose the agency’s vendor-designated identification number. I will gain the employee’s trust, by confirming that a problem does exist, but it’s not his or her fault. Someone simply misconfigured the computer. It’s an easy fix, but one that will take some time. I will apologize for the interruption this has caused.

Lastly, I will ask the employee if he or she minds sharing the agency management system credentials with me, so that I can do some further clean up and testing without interruption to the work day. If he or she agrees, I can establish my own access to the agency management system and have unfettered access to the entire client database. Mission accomplished!

In the above scenario, there are several opportunities for the agency to thwart my attempts at access:

It’s common practice for agencies to showcase their entire staff, as well as their email addresses and direct phone numbers. It’s important to reduce the amount of public contact information, so that communication comes through proper channels.

Establish Third Party Policies:

Understanding how third-party vendors contact your staff is crucial to maintaining security. Staff members should be well versed in who may contact them, how that contact will happen, and what information is appropriate to share.

Trust, But Verify: A common tactic of hackers is to convince you that your boss has already approved of what’s being requested, and he or she may be displeased with a delay in response. It’s important to verify the request with your Manager or Supervisor, before taking any action or granting access.

Secure Your Data:

It’s a lot easier to compromise a single computer than a vendor’s infrastructure. So once files are no longer immediately needed, it’s important to attach them to client record, and clean up the local copies.

Security Awareness is about far more than simply being mindful of your mailbox. It’s about being cognizant of where data is stored, how it can be accessed, and how third-party vendors interact with your staff. It’s important to establish a Security Awareness Training program that goes beyond the mailbox, and educates employees on what’s possible, and how it’s executed. I encourage you to make these topics part of your recurring staff meetings, so security is never out of mind.

Article also published in the May 2019 Issue of Primary Agent magazine.