Cheat Sheet: So­cial en­gi­neer­ing

What’s the biggest se­cu­rity risk in your busi­ness? Davey Win­der ex­plains why it’s not your net­work, but your own well-mean­ing em­ploy­ees

PC Pro - - November 2017 Issue 277 -

Why em­ploy­ees are your biggest se­cu­rity risk.

So­cial en­gi­neer­ing? Sounds sin­is­ter.

It is, but not in an Al­dous Hux­ley, Brave New World kind of way. The dic­tio­nary def­i­ni­tion would be some­thing like: “De­cep­tion with the in­tent of gain­ing con­fi­den­tial in­for­ma­tion for fraud­u­lent pur­poses.” In prac­ti­cal terms, this typ­i­cally means some­one try­ing to trick you into shar­ing your lo­gin cre­den­tials, or in­stalling mal­ware.

Ah, you mean like phishing. Isn’t that a con­sumer prob­lem?

Phishing is one so­cial-en­gi­neer­ing trick, but the def­i­ni­tion in­cludes any at­tack method­ol­ogy that re­lies on trust and de­cep­tion. And it’s cer­tainly not merely a con­sumer prob­lem: when Im­perva re­searchers set up hon­ey­pots to at­tract phishing at­tacks, they found that busi­ness data was highly sought af­ter, with 25% of the at­tack­ers go­ing for busi­ness-re­lated tar­gets.

So what types of at­tack do we need to look out for?

We’re all fa­mil­iar with scat­ter­gun phishing emails, but you should also be on the alert for highly tar­geted at­tacks (“spear phishing”); th­ese can be much harder to spot, be­cause they ap­pear to come from a trusted source and in­clude in­for­ma­tion spe­cific to the re­cip­i­ent.

Then there are those tele­phone calls pre­tend­ing to be from Mi­crosoft sup­port, that ac­tu­ally want to gain re­mote ac­cess to your com­puter. And don’t dis­count the pos­si­bil­ity of some­one walk­ing con­fi­dently into your of­fices, smooth-talk­ing their way past the re­cep­tion desk and gain­ing phys­i­cal ac­cess to your IT sys­tems.

Surely not many peo­ple fall for th­ese tricks?

The trou­ble is that a so­cial en­gi­neer only needs to fool one per­son in your or­gan­i­sa­tion to gain ac­cess to your net­works and data. In­deed, talk to any IT se­cu­rity pro­fes­sional and they’ll tell you that most data breaches to­day start with a so­cial en­gi­neer­ing at­tack of some kind. It’s of­ten much eas ier to ex­ploit an in­di­vid­ual than to mess around with tech­ni­cal hacks.

So what should we do if one of our em­ploy­ees falls for a so­cial-en­gi­neer­ing at­tack?

Well, don’t blame them. Em­ploy­ees are only hu­man, and in most cases they’re try­ing to do the right thing. MWR In­foSe­cu­rity did some sim­u­lated phishing re­search last year, and found that spoofed emails, sup­pos­edly from the HR de­part­ment of their or­gan­i­sa­tion, fooled nearly three-quar­ters of re­cip­i­ents into click­ing a phishing link and pro­vid­ing their cre­den­tials.

For sim­i­lar rea­sons, so­cial me­dia is of­ten a chan­nel for so­cial en­gi­neer­ing, as it pro­vides a ready-made net­work of trust. The same re­searchers found that when an email (even one sent to a work ad­dress) re­quested the re­cip­i­ent to con­nect via a so­cial me­dia chan­nel, roughly 25% clicked the in­cluded link. This led them to a fake lo­gin screen where 54% gave their cre­den­tials – of whom 80% then down­loaded a ma­li­cious ex­e­cutable.

Is there a tech­ni­cal so­lu­tion we can de­ploy?

Un­for­tu­nately, it’s not as easy as just in­stalling prod­uct as so­cial en­gi­neer­ing tar­gets peo­ple as much as com­put­ers. There are tech­ni­cal so­lu­tions that should be part of your de­fences – such as two-fac­tor au­then­ti­ca­tion, to de­feat pass­word steal­ing, and dis­abling re­mote ac­cess to files and servers where it’s not needed. How­ever, all of this needs to be de­ployed in tan­dem with user aware­ness train­ing.

What’s the best way to make users aware of the risks?

As is so of­ten the case, the best way to learn is through ex­pe­ri­ence. There are many or­gan­i­sa­tions that pro­vide phishing sim­u­la­tions, to show users how they can get fooled and help them recog­nise such sit­u­a­tions when they oc­cur for real. Again, though, don’t blame staff if they do get tricked: that only iso­lates them from the se­cu­rity process, and you’ll get bet­ter re­sults – not to men­tion a hap­pier work­force – if they feel trusted and in­volved with com­pany se­cu­rity.

“There are many or­gan­i­sa­tions that pro­vide phishing sim­u­la­tions, to show users how they can get fooled”

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.