While there are proven methods and technological means to prevent attacks and detect malware, when it comes to social engineering, it can be harder to discern what to look for or predict what form an attack might take. That’s why social engineering is so effective. If a web server is hardened against entry, it doesn’t matter how often someone tries to break in, they will always get the same result.
By playing on human nature, potential saboteurs can target every individual in the organization. Even if most people are trained not to fall victim to these attacks, all a bad guy needs is one person who isn’t paying attention and gives out a critical piece of information. Let’s look at some of the red flags users (and even IT pros) should recognize, training tips for users, and some policies and procedures to implement as a guard against social engineering tactics.
Most employees don’t have a very good appreciation of how sensitive some pieces of information can be. This is made abundantly clear when we see how many people write their passwords down on post-it notes, or how willing they are to hand out all of their login information to anyone calling in and claiming to be from tech support. Keeping this type of information secret should be something that is repeated on a regular basis. But the burden should not only be placed on the shoulders of individual employees. It’s been shown that asking employees to change their passwords too often leads them to forget more easily and thus they are more likely to write them down. It’s important to make users understand that there are few, if any, circumstances under which they should share their login credentials. Edward Snowden even got NSA employees to hand over theirs. If someone is asking them for their passwords—red flag!
There are many tricks used in social engineering to gain access to a network. In one case, USB keys were left lying around in the parking lot. A curious employee took one inside and plugged it in to see what was on it!
In addition to issuing policies concerning the use of their own unauthorized devices, users should be taught to be suspicious of any “lost” USBs or other devices and to turn them into a designated person in management or IT. Needless to say, we all know just how devastating it would be to have an entire network compromised by malware. Again, IT can easily mitigate this risk by locking down systems and preventing disks or USB keys from working. Any type of wireless should always be locked down properly. Having active filtering of unknown devices would be the only way to protect your network from that type of intrusion.
More on social engineering:
- Five BYOD security apps that will protect your data
- Four worst mistakes you can make with a BYOD policy
- BYOD’s impact on the data center
- The anatomy of a phishing operation
- Phishing attacks: Training tips to keep users vigilant
- Mitigating the social engineering threat
- Security’s weakest link: Technology no match for social engineering
Even high security networks have been compromised in social engineering attacks. Phishing remains the most common method of attack. An employee receives an email that appears to come from a legitimate source, with believable content, but containing a malicious link or a document that exploits an unpatched vulnerability. Some phishing attempts are very sloppy, but some are sophisticated enough to fool even the professionals. Drilling it into users that they should regard all links and attachments with a high degree of skepticism isn’t exactly bullet-proof, but it is a message that needs to be repeated on a regular basis.
There are many other methods being used, from tailgating someone into a restricted area, to posing as a fellow employee or contractor, or simply baiting someone with a reward in exchange for critical information. Clear policies should be created for employees to follow, users should be protected so their information doesn’t get into the hands of an unauthorized third-party, and any security measure implemented by IT should assume that the intruder will be coming from the inside.
Employees are especially susceptible to social engineering attacks, but they can be trained. What is harder is training your clients and customers. That’s why any organization that offers services to external users should do everything it can to protect them from themselves. One particularly vulnerable entry point is password reset forms. If you’re creating online services and making a password reset function, be very careful what you ask the user when they try to recover a lost password. Many sites ask commonly available information, things that used to be safe, like the name of a pet or your previous address, but that people these days share on social networks all the time. Instead, try to use information that users are more likely to keep secret, like the last digits of their credit card. Any sensitive change in a user account, like changing a shipping address or financial info should require extra security confirmation.
A lot of IT pros dislike having to deal with social attacks, because they are far less predictable and more linked to human fallibility than to the predictability of computer systems. It has to do with training users to be skeptical and using good judgement. Every part of the organization should be reviewed for potential security problems, from the phone and email system, all the way to the waste disposal system, where sensitive documents should always be destroyed properly. Finally, just like penetration tests are now commonplace against computer networks, employees should also be subjected to random tests to see if they follow procedures. This is one area of security where an IT department just can’t do it alone; everyone has to know their role and be involved in the process.
What social engineering ploys have you witnessed? Add your own suggestions for training and prevention, and identify other red flags in the discussion below.