Successfully defending against social engineering attacks

helmet-and-shield-armor

While it’s the technical aspects of cyberattacks that often make headlines — software exploits, worms, ransomware, and other forms of malware — it’s actually the subversion of people (end users) that make many, if not most attacks today, successful. All attacks eventually involve technical aspects, but it’s the trickery to get someone to click on a link, open a tainted attachment, or let the alleged “IT Guy” into the server room that enables the damage to be done.

Security professionals refer to this as social engineering and it’s crucial that enterprises are aware of these tricks because they are usually the first aspect of an attack. This is because once a user has been coaxed to act, a technical attack’s chance of success increases significantly.

Social engineering tactics occur virtually anywhere people communicate — phone, email, web, text messages, in person, social networks — you name it. And if there is communication, there is likely someone trying to scam someone or infiltrate a system. So, how does an organization defend itself?

Organizational awareness. Employees today need to be trained to be cautious. They need to be reminded that the communication that comes at them in social media, email, and elsewhere is all too often deceitful and designed to trick people into acting. Employees must also be trained to not only look for ways to spot fake emails, phone calls, texts, or information on social media (memes would never be wrong or deceive, right?)  but to have a constant filter in place questioning the validity of requests for them to respond to anything online. Does the email look legitimate? Do the requests from the caller feel legitimate? Is there a way to validate that this email is for real?

Test, test, test. Security awareness training has to be ongoing, and users need to be tested on whether they fall for phishing emails, texts, or phone calls. The results need to be measured to gauge the program’s effectiveness.

Check technical, financial and other policies that may be placing the organization at risk. While no policy controlling the behavior of people will ever be perfect, look for ways to ensure the proper controls and separation of duties are in place.

Reward people for following policy. For years in school and early in work people are taught to follow orders. But when it comes to averting attacks, it’s important that all employees are comfortable questioning the validity of requests and situations. No one should ever be made to feel bad, silly, or reprimanded for authenticating requests if their gut tells them something seems amiss. You want to encourage this kind of behavior.

Monitor what should be monitored. No training is going to be 100 percent effective, and no system will succeed at blocking all incoming social engineering attacks. This is why organizations need to monitor what they can and look for signs of breach and potential exploitation. This includes endpoint monitoring, scanning user system and application access patterns for anomalies, searching internal systems for unusual activities and so forth. Since no enterprise will stop all social engineering attacks, so it’s important to always be on the lookout for potential successful exploitation.

RELATED LINKS

When it comes to digital security, millennials are slackers (but so are boomers)

A look at cyber warfare and Advanced Persistent Threats (APTs)

Not all cyberattacks are over data theft

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: