PROTECT YOUR ORGANIZATION AGAINST SOCIAL ENGINEERING ATTACKS
New developments in security software and hardware force criminals to search for other ways to crack network security and steal sensitive information. Where are the least secure parts of organizations? The workforce.
Did you know your workforce members could bypass years of IT department security work during a social engineering attack? Organizations must take this threat seriously and devote more employee training resources to lower the social engineering threat.
Social engineering is one of the easiest routes to sensitive data, especially when workforce members haven’t been trained on how to recognize and combat it. Social engineering is less predictable than regular network hacking attacks. Not to mention everyone who works for your organization is a potential target, from the receptionist to management. Unfortunately, your workforce is liable to make mistakes, but with regular and meaningful interactive social engineering training, you can stop most attacks from reaching success.
SOCIAL ENGINEERING 101
Social engineering is the act of using any method conceivable to convince an employee to give up passwords, computer access, or admittance to off-limits areas that a social engineer can use to steal sensitive data or access systems. Social engineers convince staff to give up sensitive information simply by acting like they belong.
Three main social engineering techniques plague organizations today:
1. Classic Social Engineering
Initiated either in person or via phone, a social engineer claims to be someone important (usually from IT) and demands information from whomever answers the phone or sits at the front desk. These scenarios range from demanding employee IDs in order to fix software, to claiming to be a utilities auditor and demanding access to the server room. If the employee gives in to the request, attackers have a legitimate path into the network.
2. Email Social Engineering
Email social engineering (email phishing) is the extremely successful electronic cousin of classic social engineering that costs the average U.S. organization more than $3.7 million annually. Legitimate-looking phishing emails secretly contain malware or links to fraudulent web pages, and are sent to employees in hopes of being opened. Google and LinkedIn are phishers’ best friends when researching trusted employee management and business partners to add legitimacy to their emails.
3. Opportunity Social Engineering
Opportunity social engineering doesn’t normally involve interactions between social engineers and employees, but still result from employee actions. For example, social engineers leave USBs in the parking lot loaded with malware. If an employee picks one up and uses it at work, the storage device automatically downloads malware onto the entire system. Sneaking through unlocked smoke-break entrances or stealing employee ID’s out of vehicles are other ways social engineers use opportunity to their advantage.
Social engineers are confident, friendly, and usually in a hurry. They look like they belong and use pressure to rush employees into giving them the information they desire.
5 METHODS TO TRAIN YOUR TEAM ON SOCIAL ENGINEERING
There are countless ways organizations can be socially engineered, but most occur due to unaware staff with no policies or previous training to guide their actions.
The following are five methods you can use to educate your employees about social engineering, protect sensitive data, and save your organization from a devastating data breach.
First things first: have a mandatory social engineering meeting for all employees. Even executives should attend. If you don’t feel qualified to lead the meeting, hire a corporate social engineering coach.
Ask employees scenario-based questions about social engineering. Do your research and share stories. Act out scenarios that would actually occur in your specific environment. Make it interesting and interactive. Create special training programs for those on the front line who regularly deal with visitors, like receptionists, as they are most at risk.
This meeting should empower employees to understand the types of social engineering attacks, how to avoid manipulation, and what to do if a social engineer attempts to solicit them for information.
Social engineering isn’t something a video can teach. It needs to be taught with hands-on interaction.
2. CREATE A CORPORATE POLICY THAT EMPLOYEES UNDERSTAND
Your corporate social engineering policy can include whatever you believe will help employees identify, assess, avoid, and document social engineering attempts. Don’t create a lengthy, legalese-filled document.
Here are a few samples of specific policies to include:
- Request ID verification for anyone trying to access off-limits areas
- Document suspicious people or situations
- Never use a USB, except if directly obtained from the IT department
- Report lost/stolen badges within 12 hours of discovery
- Never click on an email you don’t recognize
- Send suspicious and potential phishing emails to email@example.com
- Alert a manager if you feel you are encountering or have encountered a social engineering situation
3. MAKE IT PART OF REGULAR CONVERSATION
Implement a continuous training approach by soaking social engineering information into messages that go to workforce members. Make it part of the employee newsletter. Send regular emails that run through real-life scenarios. Put tips on bulletin boards. New hires should be indoctrinated in your anti-social engineering campaign as soon as possible.
Your educational campaigns should also remind readers that social engineering doesn’t just happen within the walls of your organization. Hackers can steal information on the subway or by eavesdropping a phone call at the grocery store. Even sharing too much information on social media can easily lead to a social engineering attack.
The regular routine of work makes it easy for employees to forget crucial security information learned during trainings.
4. PUT STAFF TO THE TEST
Create a social engineer team. Sanction them to test your own employees by doing things a social engineer would do.
Your task force should do things like:
- Pose as janitorial staff and attempt to access a secured room without a badge.
- Pose as an IT person that needs to fix the network and see how close they can get to the server room before someone stops them.
- Use technology like Wombat’s ThreatSim software to send fake phishing emails and track the results.
- Try unlocked doors around the backside of buildings.
- Dumpster dive for sensitive documents.
- Leave USBs around your site and track where they end up.
- Look for unlocked computers and change the desktop picture.
Ensure that whenever you test employees, you capture what happens to provide a teaching moment that explains what they did wrong, how they can avoid it in the future, and a plea to share the experience with their coworkers. Be careful about embarrassing employees. Instead, create a positive experience and teaching moment so they will want to receive more training.
Your culture should praise a sense of good judgment and healthy skepticism.
The key to employees who successfully deal with social engineering incidents is this: they must feel comfortable questioning strangers.
Before rushing into a decision, employees should always question and think through processes and situations.
- “Do we allow anyone with a uniform behind the desk? UPS guy? Janitor?”
- “What are you doing back here in the server room?”
- “Can I see your ID please? Hold on for a second while I verify your clearance.”
- “No, I’m sorry but you can’t use my ID. Where’s yours anyway?”
- “I’m going to have to talk to my manager about giving you that information.”
If you don’t have regular social engineering training in place and scheduled, begin as soon as possible. Keep in mind it’s most effective to cater this training to normal business practices. Test your employees on their responses; this includes upper management and executives. Oftentimes executives won’t buy into the severity of the social engineering threat unless they see first hand how their employees respond.
We help customers close security and compliance gaps to avoid data breaches. Our forensic, penetration testing, and audit teams identify best security practices and simplify compliance mandates (PCI DSS, HIPAA, HITRUST, GDPR). As an Approved Scanning Vendor, Qualified Security Assessor, Certified Forensic Investigator, we have tested over 1 million systems for security.