Cheat Sheet: Social engineering
What’s the biggest security risk in your business? Davey Winder explains why it’s not your network, but your own well-meaning employees
Why employees are your biggest security risk.
Social engineering? Sounds sinister.
It is, but not in an Aldous Huxley, Brave New World kind of way. The dictionary definition would be something like: “Deception with the intent of gaining confidential information for fraudulent purposes.” In practical terms, this typically means someone trying to trick you into sharing your login credentials, or installing malware.
Ah, you mean like phishing. Isn’t that a consumer problem?
Phishing is one social-engineering trick, but the definition includes any attack methodology that relies on trust and deception. And it’s certainly not merely a consumer problem: when Imperva researchers set up honeypots to attract phishing attacks, they found that business data was highly sought after, with 25% of the attackers going for business-related targets.
So what types of attack do we need to look out for?
We’re all familiar with scattergun phishing emails, but you should also be on the alert for highly targeted attacks (“spear phishing”); these can be much harder to spot, because they appear to come from a trusted source and include information specific to the recipient.
Then there are those telephone calls pretending to be from Microsoft support, that actually want to gain remote access to your computer. And don’t discount the possibility of someone walking confidently into your offices, smooth-talking their way past the reception desk and gaining physical access to your IT systems.
Surely not many people fall for these tricks?
The trouble is that a social engineer only needs to fool one person in your organisation to gain access to your networks and data. Indeed, talk to any IT security professional and they’ll tell you that most data breaches today start with a social engineering attack of some kind. It’s often much eas ier to exploit an individual than to mess around with technical hacks.
So what should we do if one of our employees falls for a social-engineering attack?
Well, don’t blame them. Employees are only human, and in most cases they’re trying to do the right thing. MWR InfoSecurity did some simulated phishing research last year, and found that spoofed emails, supposedly from the HR department of their organisation, fooled nearly three-quarters of recipients into clicking a phishing link and providing their credentials.
For similar reasons, social media is often a channel for social engineering, as it provides a ready-made network of trust. The same researchers found that when an email (even one sent to a work address) requested the recipient to connect via a social media channel, roughly 25% clicked the included link. This led them to a fake login screen where 54% gave their credentials – of whom 80% then downloaded a malicious executable.
Is there a technical solution we can deploy?
Unfortunately, it’s not as easy as just installing product as social engineering targets people as much as computers. There are technical solutions that should be part of your defences – such as two-factor authentication, to defeat password stealing, and disabling remote access to files and servers where it’s not needed. However, all of this needs to be deployed in tandem with user awareness training.
What’s the best way to make users aware of the risks?
As is so often the case, the best way to learn is through experience. There are many organisations that provide phishing simulations, to show users how they can get fooled and help them recognise such situations when they occur for real. Again, though, don’t blame staff if they do get tricked: that only isolates them from the security process, and you’ll get better results – not to mention a happier workforce – if they feel trusted and involved with company security.
“There are many organisations that provide phishing simulations, to show users how they can get fooled”