Written by Stuart Peck
In the previous two articles, we covered the fundamentals of
social engineering and techniques used by attackers to great effect to gain
unauthorised access to sensitive information. In this post, we are going to
outline some of the defensive techniques you can develop to reduce your
exposure to social engineering. Note that I did not say mitigate or remove
risk, because the reality is that even the most hardened security professional
can be social engineered; it’s a matter of timing and a well-researched and
crafted pretext, that could lead to an attacker striking gold.
What this article aims to provide is a range of tactics that
reduce the exposure from simplistic to advanced techniques used by attackers on
a regular basis.
People-Centric Attack Vector Requires People-Centric Defence
If you are reading this then you may have spent years
learning about infosec, attended a few training courses, maybe you hold a few
certificates, and consider yourself adept at dealing with phishing and other
social engineering attacks. Now let’s talk about compliance based “Security
Awareness” training; on average, this is an annual or biannual exercise,
usually online or through a Learning Management System, and derives little
engagement from the employees. The key here is that infosec professionals spend
many years learning their tradecraft, and yet we expect users to change
behaviours, become adept at spotting and reporting phishing emails and other
attacks in a 1-2-hour CBT (Computer Based Training) course.
Changing behaviours takes time; on average, over 3 months
before new habits form and become normal working procedures. The key to affect
change is to get user buy-in, which usually is very difficult unless your
training is highly engaging and preferably face to face. It’s made even more
difficult given security departments are typically small in comparison to the
rest of the IT team and verses the actual headcount of the business. This is
where developing programs that encourage champions is vital, where the security
team can increase their footprint within each of the business units with a
person who takes an active interest in promoting information security, training,
and is essentially the human sensor for the infosec team.
Defence is Much More Than Just Training
Specifically identifying your high-risk groups of people in
your organisation that are likely to be targeted by social engineers, and
providing targeted training is a quick win, but it’s also important to provide
a wider and longer term strategy that does not just involve annual Computer Based Training activity. Social engineering
defence is the balance between Education, well enforced Policies
and Technology. Here are a few ideas:
1)
Know who your targets are and invest in
regular face to face training. Everyone is a potential target for social
engineering, however, here are some high-risk groups:
·
Executive Assistants
·
Customer facing employees
·
IT / Developers
·
Marketing / social media
·
Finance / Payroll
2)
Understand the risks of oversharing; are
your employees making themselves an easy target?
·
Monitor social media, especially Instagram /
Facebook and provide guidance on what could expose the employees and the
company to risk of being targeted
·
Make employees aware of the exposure and provide
regular training on the risks of oversharing
3)
Specific and regular training on the
risks of social engineering is vital, but in addition:
·
Provide policies that do not penalise those who
report, but actively encourage engagement. Buy-in is a must!
·
Principles of trust but verify
destabilise social engineering and can be highly effective
·
Segregation of duties for high-risk targets is
vital!
4)
Technology, people, and process need to
work in harmony; without this, social engineering will always be a risk
·
Ensure everyone has multi-factor or U2F to
reduce risks from phishing and credentials stuffing
·
Put in place processes and technology that
allows employees to easily report potential phishing scams
·
Gamification and simulated attacks work but
naming and shaming does not
5)
Understand the risks and exposures
·
Policy and procedure review - does everyone know
their responsibilities? How can you prove this?
·
Data Risk Assessment and Discovery - where is the
critical data? How well protected is it? Who has access?
·
Incident Response – how effectively can you
detect, react and respond to a social engineering attack?
6)
Attackers Don’t Care About Compliance
·
Prevent social engineering attacks by conducting
risk assessments to spot & remediate potential weaknesses
·
Regularly test for weaknesses in people, process
and technology. Test, remediate, repeat
·
Compliance training does not drive lasting
change! Make training fun, engaging, and about the employee; give them the
skills and tools to improve their own personal security posture, therefore
massively reducing risk
In Summary
Social engineering has been around for an extremely long
time, but technology has enabled it to scale at a rate never seen before.
Existing strategies of annual training, unclear policies and reliance solely on
technology to fix what is a very human problem, are clearly not working.
What’s required is a long term strategy where regular face
to face training is invested in; safe behaviours are championed; reporting is encouraged;
policies are clear, well defined, and presented in a way that normal employees
can understand; and technology is used in a way to help deter, detect, react
and respond to attacks that target the human.