[BreachExchange] How You Can Avoid Social Engineering Attacks On Your Business
Audrey McNeil
audrey at riskbasedsecurity.com
Mon Oct 23 20:45:32 EDT 2017
http://www.smarthustle.com/can-avoid-social-engineering-attacks-business/
Cybersecurity breaches are at an all-time high, with business and IT
leaders scrambling to deploy technologies to protect confidential data.
While technology solutions are critical to maintaining security, the
weakest link in any business is not the email services or the office
software, it’s the staff.
Sophisticated phishing and spear phishing attackers use a mix of social
engineering and spoofed email addresses to obtain information they
shouldn’t have access to. When these attacks are aimed at a business,
hackers could access sensitive data belonging to both employees and
customers.
While these attacks are growing in awareness, there’s a reason they still
exist: People fall for them. And a hacker only needs to infiltrate one
person, building enough credibility or trust that convinces the staff
member to them to provide confidential information or click a fraudulent
link.
Many hackers are now turning to the phone with social engineering tactics
to lay the groundwork for an attack. They’ll often pose as someone within
the organization, a customer or outside vendor and convince the employee on
the line to open an email they’ve sent. A phone conversation can build
trust that couldn’t otherwise be gained by an email alone.
Imagine this scenario: An employee answers a call from someone who claims
to be a co-worker at another location or perhaps a long-time trusted
partner. The caller asks for confidential information that would not
otherwise be shared, such as login details, and the employee provides the
information. Now the hacker can break into the network or gain access to
otherwise secured information.
In other cases, the hacker employs email-based social engineering tactics.
In this case, the person may send a realistic-looking email – perhaps even
one that appears to be a well-known colleague – and asks the recipient to
click a corrupt link within the email. Once the hackers obtain the desired
information, it’s often sold and used to infiltrate everything from bank
accounts to healthcare records.
One of the best defenses against social engineering hacks is to implement
end user training and test for failures – particularly around email.
Email Policies
Email policies should be created in a manner that reduces risk of a social
engineering attack, while addressing your organization’s specific
challenges and goals. Consider the following basic policies for internal
emails:
- Don't send e-mail in HTML format
- Don't send unrequested attachments or hyperlinks
- Don't include or ask for personal information
- Use the full name of the user
One way companies can help users minimize the risk of attack is to require
a specific format for how each message is written. This provides an
identifying element for users to verify each internal correspondence. If an
internal email doesn’t follow that format and includes a link, it could
serve as a red flag for something suspicious. While it’s possible the
sender accidentally failed to follow the format, touch base with the
sender. The recipient can quickly call or IM the sender via phone to
authenticity and prevent a potential infiltration.
Passwords
Another simple precaution against social engineering is to instruct staff
how to create strong passwords, and continually update them. Most computer
users – from consumers to office workers – tend to be lax about creating
difficult passwords and changing them often.
Testing
You can’t accurately fix a problem if you can’t quantify it. Nearly 80% of
organizations don’t conduct security testing, leaving them vulnerable to
attack. You can perform simple, but effective tests to gauge your
vulnerability to social engineering threats. Conduct periodic penetration
testing by sending end users suspicious—yet harmless—emails to gauge
whether or not they open them, respond to them or click on imbedded links.
In addition to regular staff education and reminders, enroll these
employees in one-on-one trainings, helping them better recognize and resist
typical social engineering techniques.
The next step is to collect data and set improvement goals. With each
penetration test, record how many employees fall for the ruse. If the
training programs are effective and successful, the failure rate should
reduce with each penetration test.
The sophistication and instances of social engineering attacks continue to
rise, and it’s clear that organizations need to be ready to prevent
infiltrations from every angle. No single solution can keep you as safe as
you need to be. Security policies and training should be reviewed
continuously to keep up with the changing threatscape, and your end users
must be well-prepared to fend off social engineering ploys.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171023/7816983b/attachment.html>
More information about the BreachExchange
mailing list