Trust no one.
More than a pop culture slogan, it’s a mantra enterprises need to impress upon employees. Social engineering, after all, often begins with an appeal to trust or to help someone else. And despite our best intentions to help our fellow man, encouraging healthy doubt is only one component of a strong strategy to prevent and protect against social engineering attacks.
Social Engineering Basics
Social engineering, commonly known as “people hacking,” typically aims to access a system, device, or physical premises to:
- Steal passwords or confidential data
- Install malware
- Damage the company’s reputation or profit illegally
Social engineers aim to gain their victims’ trust while appearing friendly and unassuming. Whether making contact in person, by phone, or via email or other business correspondence, they might pose as a fellow employee, a past employee, or a representative of a vendor or contractor.
In voice phishing, or “vishing,” they might mask their caller ID or use a spoof number so that their call appears to be coming from within the same office complex. In such attacks against companies, the attackers might pretend to be IT support or executive-level end users.
The best social engineers will also take the time to do their research. Using social networks and information available online, they will gain access to personal details that can make their pitch more convincing. That pic of your dog you posted on Instagram? Yep, it could be used against you. By gleaning the target’s interests and habits from social media, for instance, a fraudster can tailor an email to specifically appeal to that target and increase his or her chances of email opening and link clicking.
A malicious social engineer doesn’t stop at the individual; he’ll also familiarize himself with the target company’s procedures. Arming himself with an understanding of your way of doing things can bolster him credibility.
This could even extend to a bad actor putting your employee (the targeted victim) on hold to listen to the very same hold music your company uses, which has been recorded in advance to help psychologically trigger a sense of familiarity. A good social engineer has plenty of tricks like this up his sleeve.
Strengthen Your Social Engineering Strategy
As social engineering attacks become more common, they also grow increasingly sophisticated. Every business — from SMB to enterprise — needs to devise a strategy to protect against this form of psychological manipulation.
Only 3% of malware Symantec Security encounters tries to exploit technical weaknesses. The remaining 97% tries to trick a user through some type of social engineering. That’s a huge risk stemming from the people under your own roof.
Social engineering attacks can’t be prevented with technology alone. That’s why the best social engineering strategy enhances the company through security awareness training. Your humans are, regrettably, your weakest link. Thus effective training is an ongoing effort to keep security a top concern for all employees.
Employees need training on several fronts. First, to address complacency; anyone who thinks, “that will never happen here” is a sitting target for the highly motivated and creative criminals out there.
Next, train employees to recognize social engineering approaches and to stop themselves before they take a potentially dangerous action such as:
- Opening emails from the spam folder or from unknown recipients
- Opening attachments to emails from unknown origin
- Failing to update antivirus protections and software applications
Provide Positive Reinforcement
You know the saying, “fool me once, shame on you. Fool me twice, shame on me.” You don’t want your employees to be fooled, but you also don’t want to rely on shame to get them to keep their guards up.
In training and testing, focus on successes rather than failures. Sharing accolades when someone in the company immediately warns IT of a suspicious email is more likely to foster employee support and build confidence faster than calling out regrettable mistakes.
At the same time, don’t let your employees rest on their laurels. Yes, you want to start out small with social engineering training and testing, but plan to go bigger and get more challenging the more comfortable they become with the learning process.
By varying the pretexts of the social engineering and amplifying complexity over time, you can effectively educate employees on different attack vectors and help the company identify opportunities for adding additional technical controls to protect against real attacks.
Introduce Checks and Balances
Revisit your processes regularly. Are there places you can institute security double checks?
Common social engineering attacks rely on communications that create a sense of urgency or fear. Uncomfortable with these negative emotions, the victim is more likely to disclose information, download a malicious file, or enable access to sensitive data or systems without thinking first.
Encourage people to take the time to:
- Hover over any email links to see where they would be taken if they clicked
- Scrutinize the domain name an email communication is coming from
- Confirm that any online transactions are completed on a site that uses https protocol
- Be cautious when an individual calls asking for information — try to establish the caller’s identity without giving any hints
- Question requests for quick action or any communication that makes the recipient feel pressured to respond urgently
- Verify requests that begin with “I just need” or ask the individual to help fix a “simple problem.” Needing just one little thing is too often an indicator of a big threat.
Strengthen your security awareness programs with these five steps:
- Develop and communicate internal policies
- Implement an ongoing and frequent security awareness training program
- Use a security consulting firm to conduct regular social engineering testing
- Measure training effectiveness and identify deficiencies
- Update the security awareness program to address gaps identified during testing.
Partner With The Experts
Bad actors are forever formulating new approaches to social engineering. You can keep your defenses up to date by using a third-party like RedTeam to test your people and help correct risky behaviors. In our testing, we measure progress in degrees of failure. In other words, all clients fail. We measure progress through repeated testing and failure rate monitoring. To be fully effective, it takes training, testing, and training adaptation to address testing results.
We can customize testing and training to your particular needs, from attempting to get around or through endpoint protection systems to trying to gain physical access to your premises with the “help” of a too-friendly individual on your staff. Protecting hardware and software alone isn’t sufficient. A solid security plan includes educating everyone in your employ about social engineering best practices, too.
Schedule your consultation now and chat one-on-one with a RedTeam expert, risk free. Whether or not we decide to work together, we can help you get a clearer picture of where there might be holes in your defenses and how you can go about shoring them up.