[BreachExchange] Social engineering: 3 golden rules to thwart hackers
Audrey McNeil
audrey at riskbasedsecurity.com
Mon Jul 11 19:18:36 EDT 2016
http://www.information-age.com/technology/security/123461687/social-engineering-3-golden-rules-thwart-hackers
Whilst cyber attacks on major organisations or governments are increasingly
hitting the front pages, hackers still have plenty to gain from attacking
smaller organisations.
In the government’s latest Information Security Breach Survey, 74% of small
and medium-sized businesses reported that they had suffered a breach.
One of the most commonly used tactics in cyber attacks against smaller
businesses is social engineering.
While social engineering can take on several forms — such as phishing or
baiting — these attacks have one thing in common. They all target a link in
the chain that is very often overlooked in security strategies: humans.
The social engineers work to deceive employees by passing themselves off as
service providers or individuals from within the organisation in order to
gain access to confidential data, make a bank transfer or penetrate the
company network so they can encrypt data and demand a ransom.
In most of these scenarios, the social engineering element typically forms
part of a larger cyber attack.
In order to successfully carry out these attacks, hackers gather
information from company websites and social networks so they can imitate
the employee or service provider whose identity they have assumed as
convincingly as possible. This enables them to deceive the target victims
and make them complicit in committing fraudulent acts.
Combining several pieces of data allows an attacker to create a plausible
scenario to present to the target. By coming up with a pretext, the
attacker can convince the victim to take a desired action.
For example, they could convince the victim to visit a website of the
attacker's choice. If the attacker already knows what operating system and
browser the company uses, it's easy enough to design an attack specifically
for that environment.
A successfully implemented social engineering attack is quite often how
serious threats end up on otherwise well-protected networks.
A determined social engineer will keep poking around until he finds the
crack in the armour. That crack could come from social media, a careless
conversation, an unsecured computer, some misplaced paper, and so on.
The more persistent criminals may spend months researching a target before
ever contacting the company, but even a few hours of prep time can result
in a successful attack.
Of course, just having a security policy isn't good enough — employees have
to be educated about the risks and follow the policy without exception.
To minimise the risk of falling victim to social engineering attacks,
companies should follow these three golden rules.
1. Educate your employees
Even with the best cyber security solutions in place, if the humans behind
them are not aware of the dangers, the network will remain vulnerable.
It is essential that every company educates its employees about the various
social engineering techniques used by hackers. If they know their enemy,
then they stand a fighting chance of adapting their behaviour and picking
up on the first signs – however minor they may seem.
A few guidelines are indispensible. Check the email address of the sender.
Ensure that it features all of the company's corporate elements. Do not
click on suspicious links. And, if in doubt, call your colleagues directly
to confirm that they really are making a bona fide request.
Companies can run workshops either internally or with the support of a
security service provider. These give employees the opportunity to work
through some light-hearted exercises based on simulated scenarios.
2. Put in place an email filtering solution
The vast majority of social engineering attacks are carried out via email.
Therefore, a good email filtering solution can neutralise some of these
attacks before they even reach users' inboxes. Such solutions can scan the
content of an email before it is received, and detect any corrupted
attachments or links.
3. Implement strong data governance
Data governance is a set of processes and policies that are put in place to
ensure that important data assets are formally managed. It helps make it
clear to employees exactly what data they are or are not granted access to.
Various levels of access should be implemented, making sure that only those
who need to work with strategic and confidential files have access.
>See also: The 2016 cyber security roadmap
Some social engineering attacks are not carried out to breach the company’s
IT systems, but simply to encourage one of the employees to perform an
action such as making a bank transfer or sending confidential files or bank
details to an external party.
In this type of scenario, good data governance can add another layer of
protection because the targeted employee will not necessarily have access
to the data.
The attacker would either lose interest and move onto the next target or be
forced to target other employees, thereby maximising the chances of someone
discovering the attack.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160711/70069160/attachment.html>
More information about the BreachExchange
mailing list