Insiders Guide to Social Engineering - End-Users are the Weakest Link
0 likes605 views
The document discusses the rise of social engineering attacks, which have outpaced traditional software vulnerabilities, posing significant risks to organizations as hackers exploit the vulnerabilities of end users. It highlights various tactics used by social engineers, including spear phishing and manipulation, and emphasizes the necessity for employee education and the establishment of comprehensive security policies to mitigate these threats. The document calls for proactive measures, such as training, information classification, and robust password management, to protect against social engineering risks in the workplace.
Insiders Guide to Social Engineering - End-Users are the Weakest Link
- 1. Protect your —end users WEAKEST SECURITY LINK A GUIDE TO DEFENDING AGAINST SOCIAL ENGINEERING ATTACKS
- 2. Protect your weakest security link—end users 1 2015 MARKED AN IMPORTANT YEAR in the world of network security. For the first time, social engineering attacks outnumbered attacks on software vulnerabilities and exploits. This is a serious problem. For companies to stay productive, they need employees to be able to work from anywhere on any device, often collaborating with people around the world. This mobility drives not only the need for secure file sharing and email accounts but also a fundamental shift in our approach to computer security. Since January 2015, the number of victims identified by the FBI has increased 270%, costing businesses more than $2.3 billion1 . The message to network security professionals is clear.Hackersaretargetingtheweakest link in any security perimeter—the end user. This book is your guide to helping you detect and prevent social engineering attacks,andtobetterunderstandhow to defend your company from what has grown to become the dominant global cyberthreat. AMATEURS HACK COMPUTERS. PROFESSIONALS HACK HUMANS.
- 3. Protect your weakest security link—end users 2 Social engineering happens when someone uses manipu- lation, influence or deception to get another person to release information or to perform some sort of action that benefits a hacker. Hackers will often take advantage of genuine security gaps in your network. But at organizations of any size, layers of sophisticated computer security can be undone in seconds because one employee—whether because of trust, lack of awareness, or carelessness—reveals company information to someone with malicious intent. Your employees could be tricked into anything from allowing someone to tailgate them into your data center to giving up their passwords or user IDs over the phone. Social engineers go to great lengths to gain access to data they can exploit, such as: PERSONAL INFO passwords, account numbers COMPANY INFO phone lists, identity badges SERVER INFO servers, networks, non-public URLs Familiarizing yourself with social engineering techniques is your first line of defense. SOCIAL ENGINEERING? what is So,what does a social engineer sound like? “This is Kevin from IT. We've been notified of a virus on your department’s machines.” One of the most common scams—a hacker poses as an IT help desk worker to glean sensitive info such asapasswordsfromanunsuspectingemployee. “Hi, I’m the service tech from HP and I think Ellen is expecting me at 1pm.” This is why it’s so important that well-meaning staff members and other insiders need to be educated as to how and why they could be targeted—and what to do if they suspect a potential threat. “Oh! Wait, could you please hold the door? I left my key/access card in my car.” Peoplewanttobehelpful,andtheyoftendownplay the risks of engaging with someone they don’t know—and that can be a perilous mix. ON THE PHONE AT THE RECEPTION DESK AT THE BUILDING ENTRANCE You might believe that social engineers wouldbeeasytospot.Butoftenenough, they sound like people you run into at work every day.
- 4. Protect your weakest security link—end users 3 SPEAR PHISHING Spear phishing is a targeted email attack in which a hacker uses email to masquerade as someone the target knowsandtrusts.Thisisoftenas simple as copying the name of a CEO from a company website and then sending an email using this name to anyone on the company’s corporate domain. Spear phishing is the single most common (and effective) social engineer- ing tactic. You’ve likely seen subject lines like these before and hopefully hit “delete” right away: "Notice of pending layoff: Click here to register for severance pay." "Inanefforttocutcosts,we’resending this year’s W-2s electronically." But hackers are getting more convincing and creative with email that, when opened, infects your machine. Here are a few tactics to watch for… USING THE NEWS AGAINST YOU – Whatever’s getting attention in the news can be used as social engineering lures. For example, 2016 has seen a rise in the number of spam messages related to the presidential campaign. ABUSING FAITH IN SOCIAL NETWORKING SITES – Millions of people use social networking sites like Facebook and LinkedIn daily, so they develop a certain trust in them. Then, when an email says, “Your Facebook account is undergoing routine maintenance, please click to update your information,” you don’t think twice before you click. tactic no. 1
- 5. Protect your weakest security link—end users 4 Dumpster diving is exactly what it sounds like: A hacker digs through the trash that unsuspecting employees have thrown away. Valuable finds might include: Junk mail (especially credit card offers), which can contain personal identification info that’s just the ticket to identity theft. Company phone lists and org charts that offer numbers and locations that make it easier to impersonate management-level team members. Corporate letterhead that can be used to fake official-looking correspondence. Hackers will also buy refurbished computers and will pull confidential information from hard drives, even after users think they have deleted it. DUMPSTER DIVING tactic no. 2
- 6. Protect your weakest security link—end users 5 SOCIAL ENGINEERING ATTACKS HAVE THE POTENTIAL TO CRIPPLE BUSINESSES.
- 7. Protect your weakest security link—end users 6 10° OF SEPARATION tactic no. 3 Social engineers are clever, me- thodical, and patient. They often start by building a rapport with more accessible people in an organization— like an administrative assistant or a guardatthegate—togetinformation about their ultimate target, who may be as many as ten steps higher up on the corporate food chain. The criminal may begin by gathering personal nuggets about team mem- bers, as well as other "social cues" to build trust or even successfully masquerade as an employee. Some of their strategies are incredibly simple, and insidious: THEY LEARN YOUR INDUSTRY SHORTHAND–Ahackerwillstudythe acronyms and jargon of your industry so she can build trust by speaking the language you recognize. THEY BORROW YOUR 'HOLD' MUSIC – In this deceptively simple scheme, the criminal calls, gets put on hold, and records the music. Then, when he calls his victims and puts them on hold, the familiar music serves as a psychological cue that the caller is trustworthy and on the inside. THEY SPOOF YOUR PHONE NUMBER – Criminals make an inside number show up on the victim’s caller ID, which makes the victim more willing to offer confidential information like passwords over the phone.
- 8. Protect your weakest security link—end users 7 1 2 3 IMPACT let's talk about Social engineering is a very real problem with very few real solutions. In addition to the obvious financial toll, a company’s reputation can take a major hit when a hack becomes public. Compromised personal data can erode the faith and goodwill of its customer base—and that too affects the bottom line. Here's what we know… Attackers are increasingly infecting computers by tricking people into doing it themselves On social media, phishing is 10 times more likely than malware More than 2 billion mobile apps that steal personal data have been willingly downloaded A mind-blowing 99.7% of docs used in attachment-based campaigns relied on social engineering and macros. And 98% of URLs in malicious messages link to hosted malware.2 Because creating fake social media accounts for known brands is so easy, phishing is the fastest growing social media threat. Distinguishing the fraudulent from the legitimate is tough too: 40% of accounts claiming to represent Fortune 100 companies on Facebook and 20% on Twitter are unauthorized.3 Email and social media are not the only social engineering playgrounds—these criminals do big business via malicious mobile apps too. More than 12,000 have been discovered in app stores alone.4
- 9. Protect your weakest security link—end users 8 2015 WORLDWIDE MALWARE ATTACKS HAVE GONE GLOBAL social engineering attacks No country is immune to social engineering attacks, no matter how sophisticated its technology. This graphic shows the distribution of top social engineering campaigns by geographical region. 5
- 10. Protect your weakest security link—end users 9 PROTECT YOUR ORGANIZATION? how do you Social engineering is an undeniable and potentially disastrous reality. So, what can organizationslikeyoursdoproactively to protect your vulnerable people and keep valuable data out of the hands ofscamartistswithintenttodoharm? REAL-WORLD PREVENTION STRATEGIES What follows is a list of tangible changes you can make and security policies you can implement that can help. But remember, for any of this work to be effective, education is absolutely crucial. To mitigate your risk, start with new-employee training and follow through with regular threat assessments, policy updates, and company-wide reviews. Also keep communication open and your team members well informed. Change management – When your team is comfortable and familiar with a well-documentedchange-management process (rather than reacting off the cuff), they’re less vulnerable to an attack that relies on a false sense of urgency. Information classification – Ensure that confidential information is clearly called out and handled as such. Document destruction – Confidential info should be shredded rather than tossed into the trash or recycling. Physical security – Controls such as visitor logs, electronic security devices, escort requirements, and background checks are key to a comprehensive security policy. Promote an awareness of threats and risky behavior – Educating employ- ees on the real-world damage done by such theft to other companies is particularly impactful. Empower employees to recognize threats and make smart security decisions on their own – Because social engineering tactics change so frequently, fostering a sensitivity to risk and the tools for addressing it immediately and locally is key. Embed security awareness deeply in the minds of your team members – You’ve probably heard of the “see something/ say something” anti-terrorism campaign. Likewise, to counter cyber attacks of all kinds, ensure that employees at every organizational level feel comfortable with reporting anything suspicious. Password management – Outline rigorous standards for secure passwords and insist on regular expiration and change. Also ensure careful onsite and remote access authorization and accountability. Two-factor authentication – Use two-factor authentication rather than fixed passwords to authenticate high- risk network services like VPNs. Antivirus/anti-phishing defenses – Layers of the latest antivirus defenses at vulnerable locations like mail gateways and end-user desktops aren’t going to solve the problem, but they’re a good place to start. Clearly articulate an easy-to-understand security policy, which includes: Build a security- aware culture
- 11. Protect your weakest security link—end users 10 THE WORLD IS NOW MADE OF COMPANIES THAT HAVE BEEN HACKED, AND COMPANIES THAT ARE ABOUT TO BE HACKED.
- 12. Protect your weakest security link—end users 11 First of all, no matter how strong your technical security is, your organization’s people are often the most vulnerable link in the chain. But, with thorough, thoughtful, and regular education, they can also be your biggest asset in your fight against social engineering. However, this is only possible when every individual in the organization clearly understands the very real risks, the strategies that can offer protection, and the big-picture goals and limitations of enterprise security. Finally, because the fight against social engineering is so complex and challenging, no ONE suggestion or strategy outlined here will guarantee security. But, by proactively attacking the problem from all sides, adopting viable prevention strategies, and pro- moting a security-aware culture, you can help to protect your organization, your data, and your people from this insidious 21st century threat. what's YOUR EMPLOYEES ARE ONE OF THE BEST RESOURCES YOU HAVE TO PROTECT YOUR SYSTEM.
- 13. ALL OVER THE GLOBE, SOCIAL ENGINEERING IS A DOMINANT AND GROWING THREAT TO ORGANIZATIONAL SECURITY. Microsoft invests over $1 billion a year in cybersecurity research, and has developed a state-of-the- art Cyber Defense Operations Center, that brings together security response experts from across the company to help protect, detect and respond to threats in real time. 1. 9th Annual Report. Information Security Trends. ComTIA https://www.comptia.org/resources/9th-annual-information-security-trends 2. Proofpoint Report, 2016. The Human Factor 3. Research Paper: The State of Social Media Infrastrucutre. NextGate 4. Proofpoint Report, 2016. The Human Factor 5. (Map) Proofpoint Report, 2016. The Human Factor