Strengthen the weakest link that you may be overlooking – the trusting nature of your employees
Cybercriminals have a staggering variety of ways to get to your company’s systems and sensitive data, and social engineering attacks number among their most successful. Social engineering is the technique of manipulating people into violating security procedures by either disclosing sensitive information or otherwise breaking with security protocol. Outside of the cyber-security context, social engineering is innocent enough: many of us use it when we want something from friends or family, to influence people to our way of thinking or for other harmless purposes. In contrast, cyber criminals use social engineering for nefarious reasons.
Significant improvements in security technology have made it difficult for cybercriminals to steal sensitive data by penetrating computer systems. Social engineering relies on momentary weaknesses in people, and it’s easier to deceive someone than it is to hack into systems. Protecting your company from social engineering attacks requires dedication to a training program that addresses your entire workforce and includes social engineering exercises as a test of the training program’s success.
The Importance of Training
There are several important elements to include in your workforce cybersecurity training program. At minimum, you should train your workforce to identify the following four attack methods to reduce your vulnerability to social engineering attacks:
- Phishing – The cybercriminal sends fake emails that appear legitimate to the work- force community. The emails typically include malicious attachments or links, or request that the user send back sensitive information. Some examples can be found here: http://www.it.cornell.edu/security/phishbowl.ctm
- Pretexting – The cybercriminal calls an employee with a believable story (often impersonating a C-level officer, an IT person or another similarly trusted role in your company), and asks the employee to disclose sensitive information over the phone.
- Media dropping – The cybercriminal puts malicious files on a USB drive and leaves them in high-traffic areas (coffee area, cafeteria, break room, printer room, parking lot and so forth). Once an employee inserts the USB drive into the company connected computer, the system is infected with malware that enables the cybercriminal to take control of the employee’s computer.
- Physical access to sensitive areas – The cybercriminal parks in your company’s parking lot and observes the area for weak physical controls. The cybercriminal uses the weak physical controls to gain access to sensitive areas and then either steals computer systems or connects to the network to access your systems and steal sensitive data.
Keeping Sensitive Data Safe
Covering the essential information in your cybersecurity training is one thing, but employee retention of the training content is key. Here are some tips for increasing the chances of information retention:
- Make it personal – One example of personalizing your cybersecurity training is to incorporate how workforce members can protect themselves both at work and at home. For instance, one of VIMRO’s training sessions includes a checklist for protecting yourself from identity theft.
- Incorporate humor – Humor makes the information you disseminate more entertaining and enjoyable for the attendees. Try demonstrating with cartoons or funny videos that are relevant to the essential message and more likely to hold your employees’ attention.
- Tell real-world stories – People are more likely to remember something if it actually happened, especially if it happened within your organization. VIMRO usually incorporates lessons learned first-hand and recounts stories of successful and unsuccessful attempts to social engineer access to your company’s network from your company’s last social engineering exercises.
Most people do not recognize how much information is available about them and where they work. Learning the publicly available information beforehand makes it easier for a criminal to deceive an individual or the individual’s co-workers, friends and family. Examples of how a criminal can use this information include impersonating the target victim to obtain information and identity theft of either the primary victim or people associated with the primary victim.
Reducing Your Risk
One way to increase your company’s chances of surviving a social engineering attack is to prepare exercises that mimic what happens in the real world. Here are some examples of how the strength of your security protocols can be tested:
- Social Engineering Phishing Exercise
- Recreate a page or few pages of a client’s or your company’s website page so that workforce members log into it believing that it is an actual and real website portal they are authorized to use. The fake website captures account and password information from anyone deceived into logging into the system.
- Send a fake email to workforce members asking them to register or validate their credentials on the new portal. The email attempts to influence them to log into a fake site using their network account and password.
- Social Engineering Pretexting Exercise
- Call select users impersonating a trusted source, such a colleague from a remote location or the company’s IT staff. Social media, such as LinkedIn and Facebook will help you find someone at the same company, but in a different location or business unit.
- During the call, attempt to obtain user’s account and password.
- Physical Security Penetration/Walkthrough Exercise
- Attempt to gain unauthorized access to conference rooms or other work areas from a public entrance. Sometimes, just simply walking in or asking to use a restroom or a telephone will gain you access.
- Attempt to access the network from a work area that has network access.
- Once on the network, try to find and access weak systems by conducting vulnerability scans and other penetration testing methods.
- Conduct walk-through of work areas in search of sensitive information on desks (unattended logged-on workstations, papers with sensitive information left in plain sight, and so forth.)
- Leave USB drives with harmless files on them in public areas (parking lots, bathrooms, conference rooms, lunch/break rooms, and so forth.). The USB drives report contains harmless files that simply report back to a pre-approved secured and monitored system if anyone plugs the USB into a network-connected computer.
- Leave an envelope addressed to a specific individual or department from a publicly known entity with whom they do business, such as a State Agency or a local business. The envelope can contain a note and a CD/USB drive with harmless files on it. The CD/USB drive reports to a pre-approved secured and monitored system if anyone plugs the USB into a network-connected computer.
Conducting the above training decreases your workforce’s vulnerability to social engineering attacks, and reduces your company’s risk of breaches to sensitive systems and data. You can use the outcomes of these exercises to determine and test the effectiveness of your existing security program as it relates to human processes and procedures, the extent of your workforce members’ training as it relates to information handling and disclosure, and the capability of your personnel to identify and mitigate social engineering attempts.