Social engineering is perhaps the most dangerous vector of attack available to hackers.
Social engineering could be a phone call made by an attacker to extract data; an email phishing attack that is composed to look like a legitimate request to gain sensitive information; or a physical intrusion into the building by someone claiming false credentials. The reality is a skilled social engineering attack can fool even the most paranoid “tin foil hat” wearers.
Successful social engineers research their target thoroughly. The more information the attacker has the more questions they can answer thus the more convincing they can be. The goal of such attacks is to get the information/data needed, or to convince the target to perform an action on their behalf.
A good penetration testing company that has landed a contract to thoroughly test the security of an organization without much “red tape,” will normally spend days performing passive research before the hackers fire their first gun. They will find everything they can.
It can be rather shocking the amount public information that’s available to someone that knows where and how to find it. With just a simple crafted search engine string you could find information about anyone that they might have thought to be private.
I have compiled five suggestions that I believe will help an organization to improve their defenses against Social Engineering:
Educating your employees is over preached but under practiced (or under emphasized). The trick is you, as the security professional, have to find a way to make employees care about security.
It is our primary job function to live in a world where the most important thing is security. We go to work and do our best to convince management to increase the security budget for better security.
Other personnel have very different roles and functions that are also essential to day-to-day operations of the organization. We have to realize their responsibilities are important as well, but do our best to convince them that thinking about security is also essential.
Be aware of your organization's presence online by having an Open Source Intelligence (OSINT) report performed for your organization. This will help realize with better accuracy what information is available publicly to a potential attacker. You might find information that could be considered sensitive or dangerous to your security.
Your organization should also know what assets would be most valuable to the attacker. This might seem obvious, but an organization might prioritize things like products, payroll and specific intellectual property while the attacker might prioritize your customer’s personal data.
3. Acceptable Use Policies
Create an acceptable use policy that’s both effective and reasonable.
The acceptable use policy should include safe web searching policies. Enforcing non-compliance regulations with your acceptable use policy is a good idea, but it might not be enough to deter your employees from not complying with the guidelines. (Again, the first suggestion is perhaps the most important: Finding a way for them to care about security!)
You can’t expect to block all web traffic that is not specifically on a whitelist of approved websites – this isn’t practical and would kill the employee’s moral. Employees will want to be allowed to check their personal email or online banking statement, so try to craft the policy to be reasonable while still prioritizing security.
What is not acceptable is downloading or installing unapproved programs, visiting adult websites and using peer-to-peer software, such as torrents.
4. Constant Updates
Windows updates are very important,but it is not the only software that needs to be patched and updated. I’ll admit that manually checking for patches for all your programs, such as Flash, Adobe and various web browsers can be tedious. Luckily, people created great programs that automatically check your current software version against the software’s latest version available.
If the updater finds a newer version available, it will automatically download and install the patch. I personally use a free product called Secunia PSI – it has great reviews and I have found it to do a good job of keeping my software patched and updated.
Rolling out patches for software on a large network can also be a very time-consuming task. Knowing which software has critical vulnerabilities that need to be patched versus software that releases an update for increased functionality can decrease the workload substantially in certain cases.
5. Verify identities
Over the phone, in person or over the internet, never believe someone’s identity because they tell you their name. Remember, a social engineer can be very convincing and has likely done his or her research on their assumed identity.
Ideally, authentication should consist of three things: who you are, what you have and what you know. This isn’t always possible especially via the telephone or Internet. However, the person that’s claiming an identity could possibly meet two of these criteria.
It can be as simple as having him or her scan or fax a copy of their work order, then following up by verifying with something they know – something they know could be a pass phrase, a pin number or a unique piece of information that only that person or contractor would know.
Also, never be afraid to ask your own questions, which could help deter a social engineering attack, such as the name of a direct superior, who signed the work order, or the the address to their company headquarters.
The goal is to just be on the lookout for suspicious queries or unusual and out of the ordinary requests. If any flags are raised, you should seek out your manager or a person in charge that might be able to better verify the person’s identity.
In conclusion, there are many vectors for a social engineering attack. Each is very dangerous and has an alarming success rate. The more information available to the attacker, the more threatening the attack will be.
Know your organization's weaknesses and what information is available publicly. You will then know where to begin to eliminate sensitive information and to better acknowledge what to educate your employees to be on the lookout for. Hire professionals to perform an assessment on your organization's current level of security awareness if possible.
Lastly and most importantly, nothing will be effective against an attack if your employees simply do not care. Be creative! Find a way to keep security on their mind.