IT Security and Social Engineering
February 10, 2020
IT Security
With all the tools and technologies available for fighting off cyber threats, why are so many companies still plagued by them? Social engineering attacks may be part of the problem.
These are the broad range of malicious activities that occur through human interaction and psychological manipulation. In simple terms, cyber attackers trick users into making security mistakes or giving away sensitive information that open the door to ransomware and other types of attacks.
This isn’t new information. We’ve long known that human nature makes social engineering ploys easy to carry out in the workplace. Employees often open files from unknown sources and click on suspicious links. Even IT security professionals aren’t immune. In a 2018 study by cybersecurity firm positive Technologies, 3% of them fell for the bait.
Types of Social Engineering Attacks
Mitigating social engineering attacks starts with understanding their various forms. The following are among the most common.
- Baiting. These attacks use content that piques the target’s curiosity. They’re usually enticing online ads that lead to malicious sites or that encourage users to download a malware-infected application. The ads look legitimate, as do the web sites. Baiting can also use physical media. For example, attackers may leave a malware-infected flash drive in an area where a potential victims is sure to find it. The victim picks it up out of curiosity and inserts it into a work computer. The result: automatic malware installation on the system.
- Scareware. With these types of plots, legitimate-looking popup banners appear on a victim’s computer screen with text such as, “Your computer is infected with a harmful spyware program.” It either offers to install a free, often malware-infected tool or points to a malicious site which infects the victim’s computer.
- Pretexting. These attacks start with an attacker establishing trust with the victim by impersonating co-workers, bank officials, or other persons who have right-to-know authority. Attackers ask questions to confirm the victim’s identity, allowing them to gather important personal data such as social security numbers and bank account numbers.
- Phishing. Phishing scams are email and text message campaigns that create a sense of urgency, curiosity or fear in victims. It then urges them to reveal sensitive information, click on malicious website links, or open attachments that contain malware.
- Spear phishing. This is a targeted version of phishing whereby an attacker chooses specific individuals or enterprises. They tailor their messages based on characteristics, job positions, and contacts belonging to their victims to make their attack less conspicuous.
- Smishing. This is a form of social engineering that exploits SMS and text messages. Text messages can contain links to such things as webpages, email addresses or phone numbers that when clicked may automatically open a browser window, an email message or a “dial a number”. The integration of email, voice, text message, and web browser functionality increases the likelihood a user will fall for the scam.
- Vishing. Vishing leverages voice communication, and can be used with other types of social engineering to encourage a victim to call a certain number and divulge sensitive information. The attacks can take place completely over voice communications by exploiting weaknesses in the Public Switched Telephone Network (PSTN) that easily allows caller identity (ID) to be spoofed.
Social Engineering Education
Defending against social engineering attacks starts with education. On that front, there can never be too much IT security training. In fact, where companies often go wrong is not providing training frequently enough. Many employ a “one and done” approach, with new employees going through initial training without any follow up or refresher courses.
Not using real-life examples also diminishes the effectiveness of IT security training. Employees who complete online training consisting of multiple choice questions are less likely to understand the true impact of social engineering than if they have to work their way through examples of real-world social engineering attacks.
For more effectiveness:
- Require regular, mandatory training for existing employees and as part of the on-boarding process for every new hire. This could be monthly, quarterly or at least twice a year. The training sessions should cover a variety of activities that teach employees how to identify social engineering attempts — and how not to fall for them. Also make sure trainees become familiar with the various types of social engineering attacks. They’ll be more likely to respond appropriately if they can identify attacks.
- Change up training. Conduct role playing, hold drills with examples of cons actually experienced by employees, run tabletop exercises, and use relevant video clips and training materials.
- “Test” employees regularly. Send emails with messages such as “Your system has been infected. Change your password now.” See if employees click on the links and follow the fake instructions, of if they do as instructed in training and report the fake emails. Use follow-up emails to let them know it was a test and if they passed or failed and why the email was suspicious This is a social engineering method itself, as employees will start fearing “failing” and will be more likely to respond to fake emails appropriately.
- Find opportunities to share stories and examples of real life examples of social engineering beyond training. For example, provide materials that can be shared in employee resource groups (ERGs) and at meetups.
- Give employees direct instructions for what to do if they encounter a social engineering attack. The instructions should directly apply to their specific workplace and daily activities. Make sure they also know where to go if they have questions if they suspect a social engineering attack.
- Keep IT secure — Share information regularly with employees particularly about social engineering attacks and how to avoid them — top-of-mind with frequent messages targeted to employees. This includes using emails, employee newsletters, digital boards, employee cafeteria and gym posters, etc.
- Make sure your organization has a clear corporate policy to conduct social engineering tests assessing how your employees respond. You can also outsource this; some security professionals offer social engineering testing services as part of their penetration testing program.
- Build and reinforce a company culture that makes IT security a priority. Encourage employees to report social engineering attempts. Celebrate streaks of “no successful social engineering attacks.” Reward employees who repeatedly pass random IT security tests or who report social engineering attempts.
Technology and Policy
The tools and tactics that fight against other types of attacks usually work for social engineering as well. Make sure you have a comprehensive IT security strategy in place which spells out security policies and incorporates a broad range of security technologies and tools. Among the elements to consider including:
- Email Gateways. Use a Secure Email Gateway (SEG) device or software to monitor emails and prevent unwanted email that includes spam, phishing attacks, malware or fraudulent content. Outgoing messages can also be analyzed to prevent sensitive data from leaving the organization or to automatically encrypt emails that contain sensitive information. SEG functionality can be deployed as a cloud service, or as an on-premises appliance.
- Two-factor Authentication (2FA). Require another factor to be used along with a username and password before access to network resources or data is allowed. This could be as simple as a mobile text code or could even be a biometric. A cybercriminal may be able to steal a password easily but getting the second factor is harder.
- Privileged Access Management. Ensure that roles are set so only certain users have access to specific resources. Less access is always better.
- Block or Disable USBs. Use Group Policy or other tactics to disable all USB access with the exception of basic devices like keyboards. This prevents employees from taking company information they shouldn’t – or introducing malware to your network via an infected USB drive.
- Cybersecurity Posture Assessments. Conduct regular assessments of your IT environment to identify security gaps and immediately implement fixes. Use compliance audits as opportunities to check your IT security as well. It’s also worth hiring a third-party to conduct an objective assessment.
- Implement 24/7 Monitoring. Round-the-clock monitoring usually involves tools that can help detect problems on the network – often before they cause issues. These may include behavioral analysis and smart tools that help to spot anomalies. If you don’t have the internal resources to handle it, consider a third-party solution or service provider.
- Managed Security Services. Third-party security providers can help provide up-to-date security services that combat the latest threats. They invest in the most current technologies and train their staff to be “experts.”
- Antivirus/Antimalware Software. Along with firewalls, these are usually standard components of organizations’ security strategies. However, they don’t do much good if they aren’t up-to-date. Make sure automatic updates are engaged, or make it a habit to download the latest signatures first thing each day. Periodically check to make sure that the updates have been applied, and scan your system for possible infections.
- Backup. If data is corrupted or stolen, your data backup can save you money, time, and much more.
Talk to US Signal
Human nature makes social engineering attacks difficult to combat – but there are plenty of tactics that can help mitigate them. To evaluate your current security approach, talk to a US Signal solution architect about a technology assessment. Assessments can be conducted to review your data protection and information security posture or for IT bench marketing.
US Signal also offers a variety of data protection and IT security solutions that can be used as standalone tactics or combined to create a more comprehensive security approach. all 866.2. SIGNAL or email [email protected].