While it’s the technical aspects of cyberattacks that often make headlines — software exploits, worms, ransomware, and other forms of malware — it’s actually the subversion of people (end users) that make many, if not most attacks today, successful. All attacks eventually involve technical aspects, but it’s the trickery to get someone to click on a link, open a tainted attachment, or let the alleged “IT Guy” into the server room that enables the damage to be done.
Security professionals refer to this as social engineering and it’s crucial that enterprises are aware of these tricks because they are usually the first aspect of an attack. This is because once a user has been coaxed to act, a technical attack’s chance of success increases significantly.
Social engineering tactics occur virtually anywhere people communicate — phone, email, web, text messages, in person, social networks — you name it. And if there is communication, there is likely someone trying to scam someone or infiltrate a system. So, how does an organization defend itself?
Organizational awareness. Employees today need to be trained to be cautious. They need to be reminded that the communication that comes at them in social media, email, and elsewhere is all too often deceitful and designed to trick people into acting. Employees must also be trained to not only look for ways to spot fake emails, phone calls, texts, or information on social media (memes would never be wrong or deceive, right?) but to have a constant filter in place questioning the validity of requests for them to respond to anything online. Does the email look legitimate? Do the requests from the caller feel legitimate? Is there a way to validate that this email is for real?
Test, test, test. Security awareness training has to be ongoing, and users need to be tested on whether they fall for phishing emails, texts, or phone calls. The results need to be measured to gauge the program’s effectiveness.
Check technical, financial and other policies that may be placing the organization at risk. While no policy controlling the behavior of people will ever be perfect, look for ways to ensure the proper controls and separation of duties are in place.
Reward people for following policy. For years in school and early in work people are taught to follow orders. But when it comes to averting attacks, it’s important that all employees are comfortable questioning the validity of requests and situations. No one should ever be made to feel bad, silly, or reprimanded for authenticating requests if their gut tells them something seems amiss. You want to encourage this kind of behavior.
Monitor what should be monitored. No training is going to be 100 percent effective, and no system will succeed at blocking all incoming social engineering attacks. This is why organizations need to monitor what they can and look for signs of breach and potential exploitation. This includes endpoint monitoring, scanning user system and application access patterns for anomalies, searching internal systems for unusual activities and so forth. Since no enterprise will stop all social engineering attacks, so it’s important to always be on the lookout for potential successful exploitation.
This is a Security Bloggers Network syndicated blog post authored by Cybersecurity Matters. Read the original post at: Cybersecurity Matters – DXC Blogs