[BreachExchange] Social engineering: the biggest security risk to your business

Audrey McNeil audrey at riskbasedsecurity.com
Tue Nov 28 18:49:41 EST 2017


http://www.itpro.co.uk/social-engineering/30017/social-
engineering-the-biggest-security-risk-to-your-business


It's not your network, but your own well-meaning employees that could be
the gateway for hackers

Social engineering? Sounds sinister.

It is, but not in an Aldous Huxley, Brave New World kind of way. The
dictionary definition would be something like: "Deception with the intent
of gaining confidential information for fraudulent purposes." In practical
terms, this typically means someone trying to trick you into sharing your
login credentials, or installing malware.

Ah, you mean like phishing. Isn't that a consumer problem?

Phishing is one social-engineering trick, but the definition includes any
attack methodology that relies on trust and deception. And it's certainly
not merely a consumer problem: when Imperva researchers set up honeypots to
attract phishing attacks, they found that business data was highly sought
after, with 25% of the attackers going for business-related targets.

So what types of attack do we need to look out for?

We're all familiar with scattergun phishing emails, but you should also be
on the alert for highly targeted attacks ("spear phishing"); these can be
much harder to spot, because they appear to come from a trusted source and
include information specific to the recipient.

Then there are those telephone calls pretending to be from Microsoft
support, that actually want to gain remote access to your computer. And
don't discount the possibility of someone walking confidently into your
offices, smooth-talking their way past the reception desk and gaining
physical access to your IT systems.

Surely not many people fall for these tricks?

The trouble is that a social engineer only needs to fool one person in your
organisation to gain access to your networks and data. Indeed, talk to any
IT security professional and they'll tell you that most data breaches today
start with a social engineering attack of some kind. It's often much easier
to exploit an individual than to mess around with technical hacks.

So what should we do if one of our employees falls for a social-engineering
attack?

Well, don't blame them. Employees are only human, and in most cases they're
trying to do the right thing. MWR InfoSecurity did some simulated phishing
research last year, and found that spoofed emails, supposedly from the HR
department of their organisation, fooled nearly three-quarters of
recipients into clicking a phishing link and providing their credentials.

For similar reasons, social media is often a channel for social
engineering, as it provides a ready-made network of trust. The same
researchers found that when an email (even one sent to a work address)
requested the recipient to connect via a social media channel, roughly 25%
clicked the included link. This led them to a fake login screen where 54%
gave their credentials – of whom 80% then downloaded a malicious executable.

Is there a technical solution we can deploy?

Unfortunately, it's not as easy as just installing product x, as social
engineering targets people as much as computers. There are technical
solutions that should be part of your defences – such as two-factor
authentication, to defeat password stealing, and disabling remote access to
files and servers where it's not needed. However, all of this needs to be
deployed in tandem with user awareness training.

What's the best way to make users aware of the risks?

As is so often the case, the best way to learn is through experience. There
are many organisations that provide phishing simulations, to show users how
they can get fooled and help them recognise such situations when they occur
for real. Again, though, don't blame staff if they do get tricked: that
only isolates them from the security process, and you'll get better results
– not to mention a happier workforce – if they feel trusted and involved
with company security.

Three classic social-engineering tricks

USB seeding is where malware-infected USB sticks are dropped outside a
target building, or even left on tables in reception or at a local coffee
shop frequented by employees. Far too often, a curious finder immediately
plugs the stick into their work PC, and boom goes your network security.

A similar exploit is the "Israeli Trojan" trick, in which supposed product
demo CDs were sent to target individuals within an enterprise. Many would
insert the CD without giving it a second thought. Today the threat actor
might even make contact ahead of time, so the recipient is expecting to
receive the disc or email, and is therefore more inclined to trust it.

Caller-ID spoofing involves making phone calls, or sending text messages,
from a spoofed number which appears as a genuine contact to the recipient.
Since the line of communication is already trusted, this approach is both
subtle and dangerously effective.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171128/33baeea8/attachment.html>


More information about the BreachExchange mailing list