The online world is full of tricksters and fraud—and the threat to businesses is great. Employees can easily be lured into what seems to be a trusting relationship, which is actually a social engineering scam. Cryptzone's Taylor offers tips on safeguarding your firm from harm.—Jennifer Bosavage, editor
Social engineering attack-driven threats have gone through the roof in direct response to the surge in the take-up of social networking sites and services, especially within the last two years. While most stories have been associated with private individuals being conned into parting with bank details, usernames and passwords, the threat is just as real for businesses and public bodies — although understandably less well publicized when an attack is successful.
One of the more extreme incidents reported last year, was when the manager of a Belgian supermarket agreed to meet a new Facebook friend. It led to him being gagged and blindfolded and forced to hand over the keys to his apartment. One of the attackers subsequently found the keys to the supermarket and proceeded to empty the vault.
Few attacks are so dramatic – if they were, more people would pay attention to the security training they are given. However, the incident demonstrates social engineering primarily exploits human weaknesses. This makes them almost impossible to prevent using purely technical controls. As security professionals we need to help our customers to implement security awareness campaigns that comprise more than a list of dos and don’ts, and how to use the IT security tools we sell them, as if this is a panacea to resolving all their security problems. As the UK Information Security Breaches Survey Results 2012 from PwC indicated, “the root cause of data breaches is often a failure to invest in educating staff about security risks.” We therefore need to be sharing creative ways to communicate IT security risks and in particular ensure employees have sufficient knowledge to thwart social engineering tactics. Many users simply don’t understand the value of the information they are tempted to share, especially when perhaps they provide just one piece of the information jigsaw.
Here are six simple lessons for customers to communicate to their employees the over-arching message: "Could any of the information I am making known damage the organization I work for?" followed by my tips to ensure this message is retained and acted upon.
6 Simple Lessons for Employees (they are simple but easily forgotten)
Telephone: If someone calls in and asks for information, don’t presume they have a right to know. Verify who is calling and why they need the information. Persistent questioning displays a level of security consciousness that will put off some social engineers, who seek to catch people off guard.
On-line chat: Using informal communications tools often creates the appearance of a closer relationship than actually exists. Don’t be fooled into sharing information with a so-called friend.
In person: Don’t let people you don’t know follow you into the building, even if it makes you look a bit silly. Politely challenge people you don’t know and don’t be intimidated by any protestation. You will be forgiven if they turn out to be the CEO!
Shoulder-surfing: Just as when you enter your bank pin at the cash machine, always assume the person behind you may be looking at your screen. Be aware of what you are displaying within the office environment, but especially when in public places.
Email: If you don't know who the sender is and the topic is not relevant, immediately delete the email to prevent the download of malware to your computer. Never click a link in a suspicious email or respond to requests to enter account information for verification.
Paper: Don’t leave sensitive information lying around and ideally only print sensitive information if you can retrieve it immediately from the printer. If your print out is not there, don’t just print another, be suspicious. If you are discarding confidential records, sensitive memos or reports, make sure they are shredded rather than leaving them in the garbage.
Helping the message sink in
1. Ensure your customers’ procedures and guidelines are in clear language, well communicated and easily accessible when people need to reference them.
2. Suggest customers use multi-sensory techniques, including posters, videos, PA system or role play, to get their message across.
3. Encourage organizations to reinforce policies and procedures with regular security reminders. They should try to make them entertaining, so they are more memorable.
4. Get customers to consider introducing testing, either for all or a proportion of users. They will be able to identify weaknesses, and therefore focus training energies to the necessary areas.
5. Occasionally offer customers a trial social attack. They can reward those who stop it, you can review and correct any security lapses.
Your customers’ environment can never be 100 percent protected from a social engineering attack, but the more informed employees are, the less opportunity will be available to a would-be social engineer for a successful attack.