Anthony Ricigliano - Anthony Ricigliano News and Advice:
Just when you thought you had your company resources locked down tight, a new type of security breach rears its ugly head. Social engineering is taking corporate theft to a personal level. Unlike a traditional hacker who works from a remote area to slip through your electronic defenses without any desire to walk through your actual doors, social engineers use both low- and high-tech strategies to exploit any weakness in your “human firewall.”
By launching an unrelenting assault on any weaknesses in your processes or employees, these unscrupulous groups or individuals almost always find a way in before they’re detected, if they’re detected at all. However, all is not lost. The best protection against social engineering attacks is to educate your employees about this growing threat in addition to developing a strong security program that takes every possible weakness into account.
What Exactly is a Social Engineering Attack?
Social engineering looks for any weakness, no matter how small, in your human firewall. This multi-dimensional approach uses the following strategies to gain entry into your organization either physically or virtually:
• Use small pieces of information as building blocks to learn even more
• Repetitive attacks
• Leverage technology
• Use of social skills and knowledge of basic human psychology
Social engineers are patient and detail oriented. They run through an endless cycle of finding information, developing a plan based on that information, executing the attack, and analyzing any new information. Each time, any new knowledge is used as a launch platform for the next cycle of attacks. This continues until the individual or group breaks into your facility, gets caught, or gives up. Needless to say, they rarely give up.
How Do Social Engineers Get Their Information?
They get tiny bits of information from all over the place and put it all together to create a complete picture of your business. In fact, when they’re done, they may know more about your operation than many of your employees. Here are some methods that have been used in the past:
• Google -Social engineers use Google Earth, Google Street View, and similar sites to “case the joint.”
• Phone Calls – With a simple phone call, social engineers can find unpublished locations, the names of important employees, and whether an employee is in the office or on vacation.
• The Company Website - With just a few clicks, social engineers can find the names, titles, email addresses, pictures, background, and phone numbers of the company’s top executives.
• Social Networks - Facebook, Monster, and LinkedIn are a social engineer’s best friend. In addition to looking at pages belonging to employees, these experts connect to the pages of friends and family, too.
• Campaign Contributions – This is public record and can give an insight into an employee’s personality or political tendencies.
• Impersonating a Vendor or Maintenance Person– Some companies don’t bother to verify every representative if they appear legitimate, and maintenance people often go unnoticed.
• Faking, Spoofing, or Stealing Electronic Credentials
Social engineers take this information and use a variety of techniques to either get more information or gain access to important company resources. They may befriend an employee, impersonate someone in a position of authority, threaten an employee in some way, or simply beg for help. By knowing how to use one piece of information to get more, how to read people for potential weaknesses, and how to manipulate any situation, Social Engineers can often achieve their goals without detection.
What Can I Do to Protect My Organization?
To combat the social engineer’s four-pronged attack strategy, implement a similar plan of your own. Your security program should include the following four constantly-repeating steps:
• Observe – Open your eyes and really look at your operation to find weak points.
• Document – Document what is happening as well as what should happen.
• Educate – Don’t think that your employees will completely understand the document. Teach them good practices and procedures with a hands-on approach.
• Test – Test the system to make sure it’s working as expected. This can include posing questions from time to time or launching a test attack.
• Refinement – Continue to circle back through the process to refine the program.
Here are a few best practices to include in every social engineering defense program:
• Verify Information – Trust your employees, your customers, and your vendors, but verify everything.
• Denial Should Be the Default – If there is any question, deny access to both physical and electronic resources. Make sure everything is locked down.
• Create a Notification Process – Give your employees a tool to use if they think they may have been the subject of a social engineering attack. This could be as simple as a number to call or an email to send. Include a method that passes communications up and down the chain of command if an attack is suspected.
• Restrict USB and CD access to prevent infections from viruses and other malicious code.
By using a mixture of both simple and complex methods, social engineers are available to learn an amazing amount of information about a company and launch sophisticated attacks. Educating your employees and continuing to improve your security procedures is the best way to thwart their efforts.
Anthony Ricigliano
No comments:
Post a Comment