Is Your Company Vulnerable to these Social Engineering Attacks?
June 23, 2015
Human error and negligence play a major role in cyber security breaches. Cyber security spending continues to increase every year. Despite the money spent for security, the simple social engineering tactics prove effective in compromising the employee vulnerability.
Those in charge of IT security must consider the possibility of such attacks and prepare for them accordingly. The prevention plan should include educating employees on social engineering attacks.
Is your organization capable of handling these attacks?
1. Phishing Emails
As Mr. Pickel explains in What are Phishing Attacks and How to Prevent Them, there are multiple forms of phishing attacks to avoid, including spear phishing and whaling. Employees at small and enterprise-level companies received substantial attention with this type of attack. Of course this type of attack is external, but the reaction of the employees results in successful attack prevention or human error in perhaps a potentially eggregious incident or breach.
IT administrators or those responsible for security should make employees aware of these attacks and teach them to be skeptical of emails, internally and externally, especially in larger organizations when you may not know every employee. Keep in mind, social engineers and phishing attacks take advantage of familiar people in your network, establish trust, and infilitrate organization security.
In the past year with the iCloud breach, it’s easy to see how social engineers access secured accounts by manipulating security questions. For company emails, why not remove the security question password reset option? If you need a password reset, put it in the hands of the IT staff. For forgotten passwords you should have to put in a formal request. This seems inconvenient, but it rules out a large portion of password mismanagement on the user’s part. Rather than force them to set up security questions with easily guessable answers, put the security management back in the administrator’s domain.
Also, I know this may sounds ridiculous, but change temporary or default email and laptop passwords and do not put passwords on sticky notes attached to your desktop or desk.
Basic phishing awareness may entail paying attention URLs included in organization emails, not clicking on links from external emails, not opening attachments unless allowed to do so in an internal email, and never engaging with requests to provide email or other passwords from internal or external sources unless you requested it.
If a person opens an attachment they could activate malicious software unknowingly, which could easily give an unwarranted party access to the local workstation and internal network.
2. Misplaced USBs
IT staff need to set up a clear and strict policy with the use of removable media devices. For stricter organizations, you might want to consider only allowing employees to use USB devices that reviewed, formatted, and provided by the company. Otherwise no outside or personal USB devices should be permitted inside organizational walls or on your work computer.
Suprisingly, misplaced USBs found in and outside of the physical office space are successful implanting viruses or malware on work computers. Employees find a USB in the parking lot, bring it inside, and plug it into their work computer. Game over. Ignorance is not bliss in cyber security.
3. Physical Security
Spend thousands of dollars on antivirus softaware, security professionals, Intrusion Detection Systems, and other preventative measures, but if you ignore physical security, the other walls you built will come crumbling down.
At Phoenix TS, hundreds of students, people taking exams, U.S. Postal employees, FedEx, UPS, and even Dunkin Donuts delivery men walk through our offices. Countless organizations deal with non-employee foot traffic that makes them vulnerabile to lapses in physical security.
Not only is it imperative to teach employees the importance of locking computers when away from their work station, but it is essential to question anything out of the ordinary, no matter how familiar a person may appear. In larger organizations, it is much easier for an intruder to make themself seem blend into the office environment.
Also, physical security systems, alarms, and survellience are necessary. Many of the companies I worked for in the past suffered breaking and entering incidents where computers and other expensive items were stolen from the offices. You must protect assets during off hours.
Remember, backing up work and important data is critical in case of any type of intrusion or theft.
4. Phone Scams
False Tech Support Calls
Phone scammers are notorious for fake Windows support calls. They used to call to help employees or personal users with issues, ask to remote into their desktop. Then they would secretely install malware and extort money from the user for removing it.
In my current position, I work with several different third-party software systems. When problems arise there are times to contact their technical support. It’s smart to have a healthy dose of skepticism when speaking with technical support representives over the phone or email. Do not give out passwords, answers to security questions, anything personally identifiable.
Screen Phone Calls
Growing up with a privacy-minded lawyer as a father, I quickly learned how to screen home and work-related incoming phone calls without caller ID. Even though he employed a secretary, I learned how to ask who’s calling, what was the intention of their call, and for them to leave contact information because Mr. Ruddy was not available at moment.
Phone scammers are highly effective. Rather than engage with anyone who calls your extension and states your name and position, go on the offensive. Never readily admit your identity on an unfamiliar incoming call. Ask for their contact information and to leave a message. Phone scammers will usually leave false contact information and move on to the next target when faced with an obstacle.
This phone awareness should apply to everyone in the organization, especially secretaries and other personell who are the first line of defense with main line calls. If the incoming call does not know their party’s immediate extension, do not transfer the call.
5. Document Theft
Not investing in paper shredders and ignoring trash security may hurt you. Some criminals are more than willing to go dumpster diving outside of corporate offices. Keep in mind, not all corporate dumpsters are secured and the laws for procuring trash in dumpsters vary, if the recepticles are unlocked. Seasoned dumpster divers make upward to $150,000 or more selling salvaged products legally procured from other peoples’ trash.
Know where your office trash goes, destroy documents properly, and understand who handles your trash disposal. As a security or office manager, ask yourself, “Who is responsible for removing the trash from the offices?” If the company who handles office maintenance and cleaning does not screen or perform background checks on their employees, then how can you trust your trash with them? This sounds extreme, but you must consider all angles.
If you watched the debut season Better Call Saul, then you understand how even shredding documents may not stop a determined dumpster diver from uncovering valuable and maybe incriminating information.