As organizations attempt to stay ahead of cyber threats, Social Engineering tops the list of the most popular hacking methods. Social Engineering is the use of human interaction to obtain unauthorized access to information.
The scary part is that much of the information needed to launch an attack is publicly available on platforms like Facebook and LinkedIn.
In ISACA’s January 2016 Cybersecurity Snapshot, Social Engineering was considered the top cyber threat facing organizations today (52%). It is a threat that exploits one of the most vulnerable assets in the organization – people. Just look at a few recent examples:
- Ubiquiti networks suffered frauds aggregating $46.7 million in June 2015. The company’s SEC filings highlighted how the fraud occurred stating “the incident involved employee impersonation and fraudulent request from an outside entity targeting the company’s finance department”.
- In February 2016, at the US Department of Justice, 9,000 Department of Homeland security staff and over 22,000 FBI staff had their contact details exposed, again due to Social Engineering. After compromising an employee email account, the hacker was unable to get past a DoJ web portal. He then called the organization and pretended to be a new employee and was given a token to access the portal.
- In August 2015 a spear phishing attack on the Pentagon resulted in the theft of personal information of around 4,000 military and civilian personnel.
There are a variety of techniques that can be used in an attack. Organizations must be mindful of these techniques if they seek to build an effective prevention strategy:
- Phishing – A type of fraud in which an attacker, through email or other communication methods such as the phone, pretends to be someone else to gain sensitive information from a victim
- Spear Phishing – Specific Phishing attack directed at individuals vs. a broad audience
- Whaling – A phishing attack on a high profile individual such as a CEO
- Pretexting – A scam in which the attacker pretends to need information from the victim in order validate the victim’s identity and results in the victim actually providing the attacker with sensitive or personal information
- Scareware – A form of malware that deceives a victim into believing their device is infected with malicious software. The attacker provides the victim with a solution to the problem when in reality the ‘solution’ is to install actual malicious software on the victim’s device
- Baiting – Enticing a victim with access to lucrative information. The attacker will usually leave a physical device (such as a USB drive) in an easily found location. When the victim accesses the device, malicious software is automatically loaded onto the victim’s machine
- Tailgating or Piggybacking – Authorized individual is closely followed by an attacker into a secure location
- Dumpster Diving – Going through trash in order to find information useful to an attacker to carry out additional attacks
- Shoulder Surfing – Obtaining personal information through unwarranted direct observation
An effective Cybersecurity Strategy to combat Social Engineering should include building awareness within the organization as well as technical controls to identify and prevent attacks.
Security Measures – People and Administrative:
- Security Training and Awareness Program – An effective security awareness program will help to reduce the risk of cyber threats and typically includes:
- Periodic Security Awareness Training – Required training that informs the team of the risks
- Awareness Campaigns – Flyers posted in public places, email announcements, and events such as a ‘Security Week’ can help to keep security top of mind
- Security Awareness Testing – Perform internal tests, such as attempting to obtain employee laptops or sending them phishing emails to gauge the effectiveness of security awareness efforts
- Policies and Procedures - When developing policies and procedures, be sure to consider aspects often overlooked such as:
- Disposal management for both waste paper and electronic media disposal
- Physical security, including visitor access
- Service Desk security including an incident response strategy
Security Measures – Technical Controls:
- Keep Software up to Date – Ensure that operating systems, applications, anti-virus definitions and email filters are updated and patched regularly to reduce vulnerabilities proactively
- Disable or Restrict USB Devices – Restricting usage of these devices may reduce the risk of baiting attacks and insider threat (accidental or malicious)
- Require Multi-factor Authentication – Requiring a user to input more than just a password will increase the effort required by an attacker before a system is compromised
- Use Screen Filters – Apply screen filters to employee’s computers to prevent shoulder surfing
- Shred Sensitive Documents - Use document micro-cut shredders to reduce the threat of dumpster diving
- Penetration Testing – Ensure that penetration testing objectives consider Social Engineering methods. You can even ask a member of the testing team to act as the "pizza man" to attempt access to a sensitive area!
While prevention mechanisms cannot guarantee full protection against all vulnerabilities, a good starting point is to conduct a firm wide risk assessment to identify weak points and ultimately reduce the risk of falling victim to attacks. A strong compliment of awareness programs and technical controls can help reduce the risk of Social Engineering attacks.