Social Engineers have the potential to cause some serious damage to their victims, which could be social, economical or reputational. It is now important more than ever to understand what precautions can be undertaken to prevent, alleviate and contain the devastation that can potentially be caused as a result of a Social Engineering attack.
The section below consists of some of the common Social Engineering mitigation strategies, which companies and individuals could use to protect themselves from Social Engineering attacks.
1- Physical Security
For any security conscious business, first and foremost importance has to be strong physical security, enforced throughout the organization and consistently on everyone. Without tighter controls and lax security, attackers will have little trouble physically accessing stations, they need, to launch their digital attack. In addition, once clear and concise security policies are established and implemented, they should be periodically tested, to determine the state of security awareness among staff members, to resolve gaps, if any are identified. It is also equally important for the the staff to be continually reminded that the possibility of an attack is real, which can occur at anytime without warning.
It is a good practice to have signs around the entrance of work, reminding employees to not plug-in any USB drives or any other digital device they find around the premises and submit them to relevant depart for expert analysis, and also to be vigilant and report any suspicious behaviour to security. It may also be a good idea to have employees acknowledge and sign reminder of best security practises each month.
Physical security could be bolstered with an all round CCTV coverage and clearly defined human perimeter defence space on the premises. Installation of protective physical barriers, security lightings, alarms, motion detection systems and the use of biometrics to identify employees, could go a long way in protecting a business from a potential attack.
With sufficient physical controls in place, it may be possible for a company to repel a substantial Social Engineering attack. But without implementation of strict physical security protocols, the company is keeping their doors open to unauthorised visitors with malicious intents, to visit and intrude the premises, place malwares, Trojans, spywares and circumvent the controls to access the desired data.
2- Internal/Digital Security
Another logical step one should take in the fight against Social Engineering is rolling out a series of digital protective services and software tools, to negate the risks of attacks. It is also worth pointing out here that although use of digital security services may be effective to combat certain types of Social Engineering attacks, they may turn out to be completely useless in other types of Social Engineering attacks. For example, a reliable spam protection guard with an updated blacklist, compounded with an antivirus/malware protection and a good firewall, may go a long way in protecting a company from phishing attacks. But these measure will be completely useless against physical baiting or tailgating.
However, this does not necessary means that enterprises should not invest in software protection mechanisms, because they provide partial protection. When it comes to protection of digital data and assets, the rule of the thumb is that – the more security measures are undertaken, the better.
To negate some of the technical risks that arise from Social Engineering attacks, use of sandboxing mechanisms can be very productive. Sandboxing is the creation of an isolated virtual machine, use of which will protect the network from propagative malwares, with tendencies to spread itself over the domain, even if an employee inadvertently plugs-in a compromised USB flash drive into their computer. Use of sandboxing against some visual deception attacks is so effective, that some popular browsers i.e. Chromium or Firefox, have built in sandboxing technologies to prevent exploitation through Internet browsers.
Other dedicated measures such as proactive monitoring, aggressive user authentication/accounting and use of targeted machine learning and analysis algorithms to observe normal system behaviours, that can self-educate itself to distinguish between legitimate and illegitimate user actions and data/packet inconsistencies, can prove to be very effective mitigation strategy against Social Engineering attacks. Machine and behavioural learning systems, in particular, have become so efficient that they are now capable of detecting and stopping sophisticated Social Engineering attacks i.e. Spear phishing.
The internal security mechanisms described above and many other security solutions available through online specialist vendors can serve as a powerful shield, which can be used to protect businesses from Social Engineering attacks. Upon implementation, these solutions may requie continuous manual monitoring. For example, daily, weekly or monthly analysis of the attacks, that have been detected and blocked, is necessary to ensure legitimate connections are not being unnecessarily stopped.
These digital protective measures may block the first few attack attempts by Social Engineers, but what businesses needs to understand here is that Social Engineers and hackers are devoted and working full time to find exploits, if they have a good motivation to hack a particular company. It’s a cat and mouse game where the system may be able to block certain number of attempts, but then the attacker might gain an upper hand and find a technical exploit which gives them the access they require. By continually analysing attack attempts and upgrading the infrastructure accordingly, businesses can better protect themselves from these attacks.
3- Implementation of efficient Security policy & procedures
Because of the ever changing dynamics in todays IT world, it is crucial that the managers and employees alike are aware of the current security polices and procedures of a company. The security policy contains procedures and guidelines, which dictates data and asset protection methods of an organisation.
It is imperative to have a concise and clearly defined set of rules for maximum effectiveness and should be available to all employees regardless of their ranks. But these policies should also be protected from unauthorised access, which could help the attackers to gain insight into the inner workings of a company. The lack of clear security policy can in effect become the cause of overwhelming non-compliance among employees, leading to successful attacks and fines from authorities.
One of the greatest benefit of enforcing security policies and procedures (i.e. policy on data protection, prohibition of business related information on social media, policies on the use of bring your own device-BOYD), is that not only it protects the company from intruder attacks, but also from potential lawsuits that may arise in case of a successful attack and crackdown from local authorities because of business non-compliance. In addition, a well maintained and regularly updated policy, which is the end result of compressive research, updated laws, lessons learned from previous attacks and derived from policies of other successful businesses in the same industry, can result in greatly reduced risks.
Implementation of security policies also aligns with computer use at work. An employee wilfully accessing a compromised website, or due to a result of a phishing attack, will put the enterprise at more risk because of their workstation being connected to the network. Potent and effective computer access and authorisation policies along with competent firewall and robust and reliable enterprise antivirus should be sufficient to put a stop to any inadvertent exposure to potential harm, to the company’s IT infrastructure.
4- Penetration testing
When a company has employed enough security measures and feel confident that it has protected itself from an attack, at that stage, it is a good idea to get a second opinion from an established and professional penetration tester. Primary purpose of a penetration test is to determine technical vulnerabilities and weaknesses in the network, systems and applications being used by the business. As well as testing the resilience of the company’s digital assets, many penetration testing firms also offer their services to determine the security outlook of business employees.
By employing the same tactics as a malicious Social Engineer, but with company’s consent, an official penetration tester will attempt to access the system by human manipulation, direct hacking or using other tricks such as telephone pretexting, phishing, bating, tailgating or other browser based exploitation attacks. Once the simulated attack is over, the firm or professional leading the attack presents the employer with a detailed report of the vulnerabilities identified, probable causes of weaknesses and remedial strategies, which the business can follow to patch up the identified fragility.
If the focus of simulated attack was internal employees, as well as infrastructure, then the company may also discover what human manipulation technique was used to gain access to the desired information. The information obtained can be very useful in hardening the network and employees in preparation for a real life attack.
To defeat the cancer of cyber crime, companies will need to go above and beyond normal business practices to stay on top of the game. The security challenges in today’s digital world are dynamic, daunting and convoluted to say the least. Therefore, robust cyber security and continual testing of infrastructure and employees should be the top priority of companies. A holistic and comprehensive strategy that deals with risk management, cyber security and with the aid of automated technology, that can identify security gaps, will help the businesses go a long way in protecting themselves from the dangers of cyber crime and Social Engineering attacks.
5- User training and security awareness
Because people are easily accessible and evidently more exploitable, compared to technology, the human element in businesses remains most vulnerable to Social Engineers. Policies to ensure strong passwords, two-factor authentications for work login, top of the range firewalls and IDS really do not matter if employees do not know the importance of keeping their pin, passwords and access card safe. The fact is, none of the security measures matters, because a company’s security is only as strong as their weakest link, which in this case is employees.
Social Engineers and hackers have been aware, since the inception of technology, that the human link in any technology equation is always the most exploitable element. Humans are the mouldable key that can be easily manipulated to gain entry to any network, system or data. They know that the human heart and flesh is weak. Which is why the trend to access targets by ‘technology only’ is changing. Obtaining information from someone under false pretenses, manipulation, deceit and coercion is now conventional.
In essence, the most effective mitigation strategy of dealing with Social Engineering is education. With periodic and systematic security training, guidance and frequent reminders on the need to stay on guard and staying vigilant against suspicious behaviour, businesses can effectively turn their weakest link into the strongest.
It is vital for employees to understand the significance of protecting sensitive information. As well as the importance to know how a Social Engineer might strike. With awareness they can develop the knowledge of various attack vectors and establish capability to differentiate between a dispersed or a direct attack. With education, employees can learn that a Social Engineer won’t directly say “Give me access code for the server room, please?”. Instead they will tie little pieces of information they have acquired over time, decipher cues and signals given to them by multiple employees and then join all the pieces of the jigsaw puzzle, to unearth the information they have been after.
Although preparatory work for training and the actual delivery itself can be manually intensive and costly and the long term benefits may be uncertain at first, but this is the plunge companies will have to take if they wish to fortify themselves against Social Engineering attacks. Absolute security can never be guaranteed, but by playing smart and educating employees on security awareness, companies can turn their ignorant workers into educated and resourceful watchmen, essentially turning them from liability to an asset.