Click to learn more about author Ilan Paretsky.
If someone had predicted, a decade or two ago, that knowledge of psychology and human behavior would one day be a key factor in protecting IT systems from cyber criminals, it would have seemed far-fetched.
However, it’s very much the reality facing security professionals in 2018.
Modern cyber criminals aren’t merely the command-line savants depicted in popular culture. “Hacking” in 2018 is also about manipulation and confidence trickery. Hackers deploy these tactics alongside their technical weaponry — and that makes them hard to fight against.
Traditional solutions, such as antivirus products and firewalls, remain essential defensive weapons in the armories of every IT department. However, even if these products were completely airtight (which isn’t the case), there’s no “magic bullet” hardware or software solution that can keep company systems safe from harm. The reality is that system security is often as much about protecting users from themselves as shoring up technical defences.
Thankfully, there are some highly effective ways to fight back against security threats that exploit human factor weaknesses, with one of the most popular of these threats being the widespread use of social engineering.
What is Social Engineering?
A range of studies identify social engineering as among the most prevalent current threats to corporate IT systems.
For those familiar with the concept of “social engineering” as applied to cyber attacks, phishing is probably the tactic associated most strongly with the term. However, social engineering can take on many forms.
Criminals can choose from a varied selection of social engineering tricks. These include phishing emails, which many of us have received, that appear to come from legitimate sources, but also phone calls, with callers posing as reps from IT departments and software companies. Beyond attempting to trick people into revealing personal details such as logons and passwords, the hackers’ objectives can include enticing people to download malware by convincing them some “out of date” software is in critical need of an update.
Social engineering at its most devious plays upon human emotions, particularly (and ironically) fear, and uses psychology to increase the criminals’ chance of success. Techniques include using angry-sounding emails, spoofed to appear to come from someone in an internal position of authority, demanding that finance staff make an immediate payment. Targeting staff who may fear for their jobs, these emails play into hackers’ hands when individuals quickly respond as requested by “their boss”.
Other tactics include exerting time pressure (an email appearing to be an urgent court summons), appealing to greed (the promise of a tax refund), or even leveraging simple curiosity (a link to a celebrity video.) In all these cases, computer users are being “engineered” into opening a file, clicking a link, or performing some other action that results in a malware download or a data breach. The hackers are using urgency, fear, and panic to complement their technical attacks by manipulating users into responding.
Why are Companies Vulnerable?
Cyber criminals use social engineering techniques because they work. Typically, around 60% of companies fall prey to at least one incident each year in which an employee is successfully duped.
The need for “user education” on this issue is a common refrain of IT professionals. However, success cannot be achieved by simply informing people about how to identify suspicious emails and fake ads, or even by practising with real-life examples, and then assuming that they know enough to not take the bait. Even IT security professionals are sometimes fooled by social engineering. Hackers continually work on perfecting emails, ads, and social media posts that can trick even the most experienced specialists.
So long as hackers continue to develop and refine their methods, they will continue to catch new victims. Of course, ongoing education is crucially important — but it will never be enough in itself. In a world where cyber criminals are bold enough to target IT professionals directly, a multi-pronged approach is clearly necessary.
How SHOULD Companies Protect Against Social Engineering?
There are three key ways to mitigate the social engineering threat facing companies:
1. User Education
Educating system users isn’t sufficient to completely secure infrastructure from every possible social engineering threat. However, it’s a crucial step.
Encouraging users to engage critical thinking skills and to adopt a sceptical approach to all links and communications can go a long way to helping them avoid falling for less sophisticated social engineering attacks.
Showing employees examples of socially engineered emails and web content, and pointing out identifying characteristics, can help raise awareness. As with so many real-life threats out there, it’s easy to find examples. These can range from well-crafted phishing emails to reports of how cyber criminals operate telephone-based social engineering scams.
Another way to really drive home the importance of online vigilance is to test users against social engineering attempts. Typically, a penetration testing service or internal security team will periodically target one or more user groups to see if they succumb to a simulated social engineering scam. The testers often succeed, and the results can then form the basis of further training.
2. Install and Use Firewalls and Filters
Hardware and software measures such as spam and web filters can never provide 100% protection against social engineering. In a constant game of “cat and mouse,” criminals continually design and launch new attacks against which solution vendors can not yet defend.
However, eliminating a significant majority of phishing emails and blocking fake login pages and sham websites does go a long way toward protecting against the threats. The use of signature-based systems, whitelist/blacklist, and filtering solutions is an essential baseline in a layered approach to protecting IT infrastructure.
3. Add a Secure Browsing Solution
A smart addition to the IT team’s protective arsenal is a secure browsing solution that uses Remote Browser Isolation (RBI) to keep malware away from all endpoint devices.
The web browser is often the point at which malware enters a company as a result of social engineering attacks, either through clicks on links or visits to compromised social media posts. By isolating the browser environment, companies can prevent threats from entering the network and rapidly spreading. (A headline-grabbing example of where this happened was the “WannaCry” ransomware attack that spread so quickly because it was able to propagate over network file shares).
With more and more companies allowing staff to use their own devices for work, it makes sense to implement safety measures that cover all devices, not just those that are company-owned. Be sure to choose a secure browsing solution that works with all devices, operating systems and browsers.
Protecting companies from social engineering isn’t about doing any one thing. It’s about a well-considered approach that encompasses user education, application of the right technical tools, and implementation of well thought-out policies and procedures.
IT teams must be vigilant in constantly educating users, but education alone is simply not enough. They must also make the attack surface as small as possible by implementing URL filtering and secure web gateways, as well as non-detection-based solutions like Remote Browser Isolation to protect systems when users inevitably fall prey to social engineering attacks, despite all efforts.
Cyber criminals think of every possible attack point when they seek to compromise systems. A comprehensive enterprise security strategy in 2018 needs to give as much thought to safeguarding against attacks on the human factor as it does to malware that manipulates hardware and software.
Photo Credit: Ericom