Now that you are aware of the social engineering tools and techniques that cyber-attackers can deploy from our recent post - 4 effective social engineering penetration testing techniques, here are 3 actions that you can take to reduce the exposure to these attacks.
1. Do you have the necessary security policies and procedures in place?
Having proper and structured security procedures can go a long way to prevent social engineering attacks.
For example, train your call centre operators to follow a prescribed and secure process (such as call identity verification checklist and 2 step verification) for resetting user passwords. This will make it much more difficult for cyber-attackers to infiltrate and convince the operators deviate from this process.
Another example would be, advise the users not to use their work email addresses or passwords when registering for non-work related websites, then they are less likely to be disclosed to an attacker. Especially not to use the same password for work email and personal emails. The lesser the association between work and personal credentials (user name and password), the better it is for security.
The key is - social engineering by its very nature elicits users to step outside normal procedures, so its important to educate the users not to deviate from the set policies and procedures in all cases.
Alas, we are after all dealing with human beings despite how robust a policy is set up, therefore, the next action that follows below is equally important.
2. Inculcate staff awareness on security
Staff awareness is the second pillar of defence against social engineering. By making users aware of the threats and risks that they face, they can make decisions that are more informed and will be less likely to fall for well-known ruses.
Train them well and they will be better equipped to make judgement calls.
Training such as phishing awareness exercises, where users are sent simulated phishing emails and educated about the risks of malicious emails and websites would be a great help.
No matter how it is, some users are inherently at risk of social engineering, regardless of their level of security awareness and the policies and procedures in place. For example, HR and recruitment staff often receive emails from strangers and opening attachments sent with the email. Finance staff must deal with invoices, often in electronic formats, on a daily basis. Sales and marketing staff on the other hand, will be bombarded with marketing related emails that invariably contains external links and attachments.
Therefore, regardless of the other controls in place, these users can often be easily compromised if their workstation software contains exploitable weaknesses. So what's the next action step? Read below for the final step.
3. Prevention using technical and detection controls
Conventional IT security activities such as patch management and system hardening therefore remain essential to prevent such attacks. Whilst the patch management of operating system software by most organisations is improving, the updating of web browsers and their plugins within corporate environments is often slow and frequently facilitates access to the internal network environment via a crafted email or website-based attack. Deploying a gateway security firewall with properly configured firewall rules and policies would be a good start.
Workstation and device hardening are also highly important. A user may be tempted to plug in a USB key placed by an attacker, but this will not achieve its desired effect if USB access is blocked on their workstation. Malicious executables may bypass many anti-virus technologies, but will not run if the user’s workstation is configured to only run a whitelist of approved programs. Application whitelisting solution such as ARWARE can be deployed across the organisation to auto-protect such infringements whether intended or accidental.
Social engineering takes many forms, and is an increasingly common attack vector.
With all 3 steps employed by an organisation, a targeted social engineering attack will have to bypass the procedural, people and technical controls...still possible, but the barrier to entry will be significantly raised.
By understanding the techniques and scenarios deployed by attackers, organisations can better defend themselves against this threat.