How to Prevent Social Engineering…You Can’t
January 18, 2016
There’s little you can do to stop social engineering. Only by sustaining a culture of doubt, will an organization avoid social engineering exploits.
For the sake of this blog post, let’s run through a few of the common ways to avoid these attacks.
How to Prevent Social Engineering Attacks
Identify the most valuable assets in the organization
You need a pair of fresh eyes, independent of your organization, to evaluate and determine the most valuable assets and weakest links. Of course, the weakest link is the human element. People often unknowingly leave doors wide open for intruders to walk in and steal information.
Employ a penetration tester to test the limits and resiliency of your organization to withstand social engineering tactics. This applies specifically to the practice of pretexting. How do they hold up on phone calls, emails, and other inquiries for confidential and seemingly non-confidential information requests?
Turn Up the Spam Mail Filters
For the organization email client, turn on the highest settings for spam mail. This can reduce the number of phishing email requests. Once you reduce this number, this decreases the potential for an employee to mistakenly click on a hyperlink, download an attachment, or respond to an email.
Take advantage of all security features already available within your organization to reduce the chance of attack. Employ and update anti-virus software and firewalls.
Clarify the Line Between Personal and Work
Establish and clarify “personal” and “work policy” in the office. Unless a person absolutely must access social media accounts at work, do not permit them the use on their work PC. No unregistered computing devices should be permitted to connect to the LAN within the office environment.
This clarification decreases the possibility of a person responding to a “friend” email, instant message, or social media message.
Remember that email hijacking is rampant. Once a person gains access to an email account, it’s feasible to take control of social media and other common accounts connected to the email account. Social engineers seize control of social media accounts and pose as friends requesting help with an emergency, asking for donations for a charity, or carry on conversations where we often don’t realize we’re releasing important info.
Also, the average person does not diversify their passwords for accounts. If they do, they implement variables of one password combination or set rules for characters and numbers for a phrase. These practices are better than setting common passwords, but they are predictable and will not withstand a determined black hat hacker.
This separation of personal and work leads into the next point regarding access management.
Effective Access Management Reduces Potential Damage
Damage control comes in the form of access management.The security team and major organization stakeholders should set clear guidelines and rules of what personnel holds access to specific information, tools, and resources. By establishing clear rules for access on a strict policy of “need to know”, this decreases the possibility of widespread damage in the event of an intrusion. Proper access management enables IT security teams to isolate incidents and identify the point of failure. Access management is a core practice of general and cloud security best practices.
Training and Awareness
How do you cultivate a culture of skepticism? Change the way people think through training, awareness, and enforcement. These tactics cannot eliminate human error, but they minimize the risk and aim to reshape the organizational perspective on security awareness, specifically on phishing and social engineering attacks.
We covered USB policy in the blog post, “Is Your Company Vulnerable to these Social Engineering Attacks“, and a number of similar rules and practices relating to the prevention methods discussed below. This blog post strives to build off the previous material to establish a starting point for organizations with no security policies addressing these situations and no training evident.
Does the question not fit the context of the initial inquiry during the phone call or in the email? Train employees to look for questions or requests that do not fit the context of their initial inquiry.
Phishing artists construct excellent duplicates of company and bank emails and websites to bait individuals into clicking on malware loaded links and attachments or to encourage a response for a request for confidential information. First of all, banks do not ask for account information or passwords via email. They do not ask for passwords over the phone. They adhere to strict security policies. Why? When the so-called bank representative requests this information, you should know this is a strange request.
Spelling Errors and URLs
Phishing artists purposely create identical websites of legitimate businesses. Pay attention to the URL, whether it is portrayed in an email or another source. Look for misspellings or anything unusual. Grow suspicious of URLs.
In large organizations, you do not have knowledge of every person employed there or of all external contractors/services. When you receive a phone call where the caller asks for confidential or questionable information, do not yield to their persistence. If you’re unsure about the person calling or the request, always seek a second opinion. Go to a manager or colleague.
Another person’s perspective may notice discrepancies with the request. Also, social engineers avoid conversation breaks. They may flee.
Social engineers create situations filled with pressure. They demand an urgent decision with these common situations:
- They create a scenario where a friend, loved one, or manager demands your assistance or cooperation.
- They ask for assistance with an immediate matter that needs to be handled by end of business day.
- They remove the pressure from the situation by stating they already received permission from higher ranking personnel to contact you and request assistance.
In these unusual circumstances, gauge the pressure involved.
All employees should know what paper documents to shred and what documents go straight to the recycling bin. The finance department is not the only department capable of leaking sensitive information.
It wouldn’t hurt to perform random searches through the paper recycling bins in the office. This is time consuming, but it preserves and enforces training. People learn through practice, mistakes, and reinforcement of the lessons taught.
Stay on top of latest Social Engineering Attacks
IT security teams should revisit training and awareness at least once a year. The trainers must stay on top of the latest threats and attacks. The Anti-Phishing Working Group (APWG) maintains information on the latest phishing attacks, trends, and stories. This resource empowers trainers to present real world examples of successful phishing attacks and trends to raise awareness.
If you do not have the financial resources to enlist a penetration tester for testing your organization’s resilience against social engineering attacks, then look at the Social Engineering Toolkit or Maltego. Ashley Wheeler briefly spoke about The Social Engineering Toolkit in a previous blog post about social engineering tricks.
Both tools are useful for gathering information about organizations, employees, and anything else valuable. They provide a solid baseline for testing the hidden holes and information available online in which a seasoned social engineer can exploit.
You may believe there’s not enough info online about you to prove valuable to a black hat hacker, but it could prove enough for them to con you and ultimately gain their way into bank accounts, work and personal email addresses, and infiltrate aspects of your organization that are supposedly secured.
Conclusion: You Can Reduce the Risk of Successful Social Engineering Attacks
Complete prevention is not a reality. Even after the training, awareness, culture change, and penetration testing discussed above occurs, the success of these attacks hinges on the individual. Every person thinks they have enough common sense to identify a phishing or social engineering attack, but as the saying goes, common sense isn’t so common. Humans are helpful and gullible, and phishing artists take advantage of their natural inclination to help.
Everyone is susceptible to a con. Therefore, let doubt drive your security policy.