Ok, so what is social engineering? Social engineering is a special kind of cyberattack where the attacker doesn’t have to gain access to your systems first. Instead, they pretend to be someone trustworthy in your organization and just ask employees for the information they need to hurt you. They can spoof email or gain access to the phone systems, but at the end of the day the attack vector is not through technology, but through people. Great, so how do you stop them? The short answer is education. The longer answer is below.
The number one way to stop social engineering is to educate your employees. If they know what to look for, they can stop a problem even before it starts. A suspicious email will go unopened and reported rather than serving as a possible attack vector. One solution for this that I’ve found is a service called Ninjio. Ninjio presents a “gamified” approach to security training. They have leaderboards to present which of your employees is performing the strongest under their training, for example. They produce animated videos to demonstrate specific case studies and how to avoid the mistakes that other companies have made.
There are two main roads to go here: network security, and physical security. You really need both, but network security is so cheap and easy to implement, you’ll kick yourself for not having it in place already. You might think your business is too small to worry about security. That’s exactly what hackers want you to think. Next, we’ll explore some of the technologies that are being used to prevent social engineering attacks.
Filtering and Endpoint Technology
High-volume, low-customization spam is usually caught pretty easy by even basic filters. Over the past decades, security experts have learned how to recognize spam and now there is spam prevention on any email solution you might use. This kind of spam, if you don’t remember, was incredibly voluminous even just a few years ago. The goal for filtering is to reduce users’ exposure to phishing attempts. In 2006, 30% of a Hotmail user’s inbox was spam. In 6 years, that number dropped to 3%. By 2015, the average Gmail user’s inbox is 0.1% spam. One in a thousand messages, down from one in 3. I’d say we’ve come pretty far, haven’t we?
Disabling Images, Links, and Attachments
One of the additional filters we can set up will disable untrusted images and attachments. Basically, if someone from outside your organization sends you something, users will have to specifically allow images. In the meantime, this means they won’t see official letterhead or other assets that hackers have ripped off from legitimate institutions. A fraudulent email claiming to be from Bank of America will look a lot less legitimate if none of the branding is present. The latest versions of Mac OS X and Windows will also act to prevent people from opening infected files, and automatically disable editing and macros on documents received from the Internet. The purpose of this is to get people to slow down and think about what it is they’re doing. Just a few additional dialog boxes can stop someone from destroying their computer with a malicious Word document.
This is another security method that’s becoming the default. Basically it authenticates email addresses to make sure that the reported address is real and true. This way, you’ll be warned in advance if someone is spoofing an email address to make it look like it’s coming from your organization or a trusted partner.
Web Traffic Filtering
There are many domains that are known to host malicious web sites and impersonate legitimate sites. These sites are collected in lists that are available as commercial products and for free. Then, you just prevent employees from going to those sites just like you can filter out online gambling or other sites.
Last, but certainly not least. Having physical security can stop attacks like malicious USB keys, eavesdroppers, and other things of that nature. Sometimes old school is still the best!
A large data breach can be frustrating and incredibly damaging to a business. Having a plan in place to deal with security failure is important because it can restore trust from customers – if you can tell them what happened, and how you will prevent it in the future, you can mitigate some of the losses. SurfWatch Labs has a great article on social engineering and they provide a list of Do’s and Don’ts on planning:
- Have an ongoing training schedule that continually emphasizes the importance of security awareness
- Provide and test employees with real-world examples of social engineering
- Track metrics such as phishing click rates in order to identify risk areas and progress
- Follow up exercises with short training sessions to address questions and improve retention
- Address the “High Risk” employees; studies show that a small percentage of users are responsible for a large percentage of an organization’s cyber risk
- Update training to address new threats; as people improve at one area of social engineering, cybercriminals adapt and try new techniques
- Assume that since social engineering cannot be stopped it is not worth the time to train
- Assume employees are security-savvy
- Treat cybersecurity as a checklist item discussed only during orientation and annual review
- Rely on information-driven read-and-click exercises which are quickly forgotten
- Fall into “set it and forget it” mentality. Cybercrime is always changing!
So hopefully, you have a better understanding of how to stop social engineering attacks. Please feel free to contact us if you’re interested in upgrading the technology side of your social engineering prevention.