Don’t Click that Link! Have a Back-up Plan to Mitigate Social Engineering Attacks
If you don’t enjoy having your data or your customers’ personal information plastered all over the Internet, then you should consider the initial attack vector that was most likely used to put it there: a lack of understanding about how social engineering attacks occur and an absence of security controls available to minimize the breach.
Phishing, pre-texting, baiting and piggy-backing are just some of the social engineering methods attackers use to trick employees into divulging sensitive business data or confidential information that may be used to bypass network defenses. Phishing was one of the components used to hack Target, RSA and Home Depot, just to name a few.
“Phishing is the No. 1 external attack vector,” said Sword & Shield Security Analyst Zac Wagle. “It offers the biggest reward for the least amount of effort.”
Social engineering is a technique used to get around security controls by exploiting the behavior of the humans around the system. For example, instead of exploiting vulnerabilities in the services of an external facing system that holds important client data, a hacker could convince an authorized user of that system to disclose his or her credentials by sending the user an e-mail with a link to a fake website mirror. Once the phished user authenticates to the attacker’s site, the attacker captures the user’s credentials.
Most business owners are aware of social engineering threats and assume that training their employees to be aware of some of these methods will solve most of these problems.
“Not so,” Wagle says.
If a company wants to improve their overall network security posture, then educating employees is a great place to begin. However, the company must also consider what happens if that training fails and allows a chain of events that can result in a breach.
“Most of what we experience is that it’s going to happen anyway. (Employees) are going to click that link,” he said. “What a business owner must decide is what happens next. How quickly can they detect and respond to an attack and what technical controls have they put in place to help mitigate the attack.”
Social engineering is difficult to handle because, even at a best-case scenario, the users will always be somewhat vulnerable. Company policies, training and early detection can mitigate the damage. In order to build defenses against social engineering attacks, organizations need to consider these steps when putting together best security practices:
- Investing in security awareness and training programs: Employee education is a good first step. An employee who is trained to be more aware of these attacks is less likely to download malicious content or to visit websites that contain this content.
- Strengthening company policies and procedures: Well-defined policies and procedures provide guidelines for employees on how to protect company resources from a potential cyber-attack. Strong policies should be in place for proper password management, access control, and handling of sensitive user information.
- Properly configuring the technical environment: This can include logging and monitoring, least privilege configurations, authenticated outbound access, IDS/anti-virus or any other technologies that can mitigate the ability for an attacker to make an continuous connection to your organization.
“People are the key to business, but a good defense against social engineering attacks doesn’t just consider the human element,” Wagle said. “It tests the infrastructure. It tests the attack vectors. It’s not just about defeating the user. It’s about completely owning their system”.
Sword & Shield offers social engineering services to determine your company’s overall security awareness, physical security, and risks for leaking information to unauthorized persons. Request a consultation to learn how we can help you strengthen your weakest link; your people.