Social Engineering Part Two: Solving for the ProblemBy: Rafe Pilling
Be sure to check out Part I in our series, "Social Engineering: We don't expect to be lied to"
So how do businesses typically defend against this type of attack today, especially when an adversary is creative and willing to do whatever it takes to succeed in their efforts?
IT must instill changes in employee cultural norms across security and implement security awareness training and testing regimens that sensitize employees to the types of real-world strategies and specific tactics social engineers employ. To be successful at this IT Security must bring the same level of creativity and commitment to this effort that social engineers will employ against them.
The following represent additional specific recommendations to solve for the problem of social engineering:
1. Create a "human intrusion detection system" culture
- Leverage the employee population to detect social engineering attempts
- Provide clear guidance on employee behaviours that protect corporate information i.e. screen-lock workstations and other devices, never give out passwords, carefully assess email attachments, don't attach unauthorized devices to the network, control access by prevent tail-gating etc.
- Provide clear reporting channels and encourage employees to report anomalies without creating a culture of fear or continuous surveillance
- Lead by example. Management should live the practices they ask of their employees i.e. wearing their ID badges, not tailgating, screen-locking their workstation, challenging individuals not displaying an ID badge, even if they are senior management.
2. Implement Security Awareness Training:
- Help employees know the enemies and understand their techniques
- Share real examples of phishing emails and other social engineering attempts, and point out the characteristics that should alert employees to their inauthenticity
- Highlight types of information that attackers might attempt to access
- Highlight types of activity; suspicious phone calls, email, individuals loitering or tailgating or making unusual requests at short notice etc.
- Promote a culture that politely, but firmly, questions unusual activity and policy violations
- Reinforce vigilance through posters, screensavers, newsletters, success stories of thwarted incidents
3. Assess the effectiveness of your employees against social engineering efforts:
- Engage a third party to execute a social engineering assessment and determine how well your anti-social engineering policy and education is working.
- Test how well your employees respond to various social engineering approaches. Will they provide sensitive information in response to telephone and email enquiries? Will they help the "guy" who forgot his badge get into the building? Will they plug in the novelty chocolate bar- shaped USB stick given to them for 'free' by the nice woman at the tradeshow they attended?
- Publish the results internally and tell people what they can do to improve
- Establish a routine of regular social engineering assessments that provides clear metrics on the effectiveness of your employees to rebuff real and simulated social engineering threats.
An effective social engineering assessment gives an organization a tangible experience they can learn from, similar to a "mystery shopper" exercise for customer service quality enhancement, or a fire drill.
This active learning benefits the organization in at least four ways:
- The organization gains immediate feedback on processes that require improvement and what was effective in detecting social engineering approaches.
- Employees who become involved in the engagement gain a tangible experience that they will remember and share with colleagues.
- Management has real examples to use, to emphasize the need for following the defined processes for interacting with individuals from outside of the organization and verifying those within the organization.
- The general employee base develops an enhanced level of awareness and diligence, never sure if the next unusual email, phone call or un-badged individual is a real threat or an exercise.
Social engineers are incentivized to be creative and committed. IT Security must keep sight of this fact and bring that same level of creativity and commitment to its efforts to strengthen employees against social engineering attempts.
Effective security policies, documented and published processes, and security awareness training must be in place as a base standard for any IT Security organization. However, testing represents the critical element to ensure that employees are trained with real-world simulations and examples, and are sensitized to the types of strategies and tactics malicious social engineers employ.