Most SMEs have priceless customer data, intellectual property, or both. In the wrong hands, they are wares for the black market, selling at a premium to the highest bidder. How do information thieves purloin the precious electronic cargo? They use social engineering attacks, manipulating human behavior until company employees unwittingly hand over everything they need.
Attacks range from tricky email links that lead the unsuspecting to hand over usernames and passwords to faux IT staff who offer to fix nagging computers only to rifle through company information. Whatever the attack vector, whatever the ploy, an enterprise has many options to fight back.
 Common Socially Orchestrated Data Breaches
To defend against these surreptitious data spies, enterprises should first school themselves in the schemes they use. Those trick emails, for instance, are called phishing attacks. The subject of the spam will likely be something urgent or enticing so the recipient will open it. “A lot of recent attacks are around the financial crisis,” says Kevin Prince, chief architect, Perimeter eSecurity (www.perimeterusa.com).
For instance, the message might purport to be from a bank that bought the consumer’s bank. The message will instruct the recipient to click a link and enter some account information to ensure his account is safe. The FTC (Federal Trade Commission) recently warned of a series of attacks like this.
In targeted attacks, the emails target employees of a specific company on a specific Web domain. Experts call these attacks spear phishing. For these attacks, the social engineers first research the business on the company Web site and social networking sites such as Facebook, Prince explains. | Key Points
• To avoid phishing scams, remind employees not to click links that arrive by email.
• In-person attacks can compromise company data, so employees should not share potentially sensitive information with unconfirmed parties.
• Everyone with access to sensitive data should read and follow security policies. | | Then, they make the email appear as if it is from someone at the organization. “Using the company directory, which is often available on the organization’s Web site, an attacker will locate an employee or executive email address,” says Gregory D. Evans, ex-hacker and security professional, Ligatt Security (www.ligattsecurity.net). Because the email seems to be from a co-worker, supervisor, or someone in technical support, employees may do whatever the message asks of them without question.
Other common deceptions include impersonating someone from IT to get in and initiate an attack in person. “Attackers use small amounts of unrelated data to piece together the information they need for a face-to-face attack,” says Jeff Debrosse, research director, Eset (www.eset.com).
To gather this information, social engineers are known to start conversations with waiting passengers seated in the terminal areas of airports. Anyone may end up sitting next to employees, asking what they do and where they work. “People usually feel OK about having that conversation,” says Debrosse. During the conversation, an employee may reveal his title and department or even personal information like his pet’s name, which is one of the most-frequently used passwords, Debrosse notes.
But with only a little information, an attacker will call the company asking for them. Evans notes that a frequent script of these corporate spies is to say that the IT director, whose name they got from the company's online directory, has asked them to fix the computer glitch that causes their computer to keep running so slowly. Everyone has had that issue. Most employees are so glad to have it resolved that they will give the social engineer full access to their workstation the moment they show up.
“The attacker inserts a USB thumb drive with software designed to make a secure connection back to their computer,” says Prince. With that, they will steal the company data without ever having to set foot on the property again.
Trained Employees To The Rescue
“The best solution is employee education,” says Prince. Train employees about the types of social engineering that occur, why they happen and how to respond. Drill employees about who should be in certain areas and to report activities that are against company policy. “Assign a champion or committee to disseminate new and ongoing social engineering threats to employees,” says Debrosse.
Employee education does not have to be difficult or time-consuming. “Email security policy updates to employees. Offer video training over the company network. Require them to view it and pass an online quiz,” Evans says. If the enterprise keeps the instruction exciting, using real-world examples and dramatizations, employees will learn. Randomize the quiz questions automatically for each run of the test to ensure learning.
Stop Attacks
Another important step an SME should take is to create a security policy. Instruct employees to avoid clicking links in emails. Have them type the link into the Web browser manually instead. After establishing policies, enforce them with technology. “Use Web content filtering to prevent employees from going to illegitimate sites, such as links in phishing emails,” says Prince. You should also filter out the spam that carries phishing attacks using a spam filter.
Use penetration testing to see if and how a social engineering attack would get through enterprise defenses and then plug any holes. “Social engineers will call in to a department and ask for an employee by name, saying, this is Mark from IT. On your computer, click Start/Run, type in Cmd, type in ipconfig/all and read everything off your screen to me,” says Evans. With that, the employee will have given the attacker information about IP addresses connected to that computer and other information useful for getting to data and stealing it. A good penetration test would reveal these vulnerabilities. Good training would inform employees that IT should never call asking for this information.
Inform employees about acceptable and unacceptable information sharing. Have a known employee escort nonemployees where they need to go. Use security badges with photos for secure entry. Have employees minimize their screens or put their computers in sleep mode when talking to strangers onsite.
Stay Informed
As threats continue to increase, the key to preventing social engineering attacks is knowledge. Know where the vulnerabilities are and secure them with training, testing, policies, and technology. Stay abreast of new developments and new attacks and keep in step with advances in the social engineering space.  by David Geer
Phone-Based Attacks
Phone-based social engineering attacks are more common and may be more effective than in-person attacks, depending on what the attacker is trying to accomplish, explains Kevin Prince, chief architect, Perimeter eSecurity (www.perimeterusa.com).
In a recent example, during the presidential campaign in Broward County, Florida, explains Jeff Debrosse, research director, Eset (www.eset.com), social engineers used fake robo-calls—those automated recorded campaign calls—portending to be from Brenda Snipes, Broward Country supervisor of elections.
The calls targeted specific people, telling them they could vote for president by phone on election Tuesday instead of going to the polls. |
|
