- Security TWENTY
- Women in Security Awards
While cyber attacks on major organisations or governments are increasingly hitting the front pages, hackers still have plenty to gain from attacking smaller organisations, writes Wieland Alge, pictured, VP and GM EMEA at Barracuda Networks.
In the Government’s latest Information Security Breach Survey, 74pc of small and medium-sized businesses reported that they had suffered a breach. One of the most commonly used tactics in cyber attacks against smaller businesses is social engineering. While social engineering can take on several forms, such as phishing or baiting, these attacks have one thing in common; they all target a link in the chain that is very often overlooked in security strategies: humans.
The social engineers work to deceive employees by passing themselves off as service providers or individuals from within the organisation in order to gain access to confidential data, make a bank transfer or penetrate the company network so they can encrypt data and demand a ransom. In most of these scenarios, the social engineering element typically forms part of a larger cyber attack.
To successfully carry out these attacks, hackers gather information from company websites and social networking sites so that they can imitate the employee or service provider whose identity they have assumed as convincingly as possible. This enables them to deceive the target victims and make them complicit in committing fraudulent acts.
Combining several pieces of data allows an attacker to create a plausible scenario to present to the target. By coming up with a pretext, the attacker can convince the victim to take a desired action. For example, they could convince the victim to visit a website of the attacker’s choice. If the attacker already knows what operating system and browser the company uses, it’s easy enough to design an attack specifically for that environment. A successfully implemented social engineering attack is quite often how serious threats end up on otherwise well-protected networks.
A determined social engineer will keep poking around until he finds the crack in the armour. That crack could come from social media, a careless conversation, an unsecured computer, some misplaced paper, and so on. The more persistent criminals may spend months researching a target before ever contacting the company, but even a few hours of prep time can result in a successful attack. Of course we know that just having a security policy isn’t good enough; employees have to be educated about the risks and follow the policy without exception. To minimise the risk of falling victim to social engineering attacks, companies should follow these three golden rules:
Rule 1: Educate your employees
Even with the best cyber security solutions in place, if the humans behind them are not aware of the dangers, the network will remain vulnerable. It is essential that every company educates its employees about the various social engineering techniques used by hackers. If they know their enemy, then they stand a fighting chance of adapting their behaviour and picking up on the first signs – however minor they may seem. A few guidelines are indispensible: check the email address of the sender; ensure that it features all of the company’s corporate elements; do not click on suspicious links; and, if in doubt, calling your colleagues directly to confirm that they really are making a bona fide request. Companies can run workshops either internally or with the support of a security service provider. These give employees the opportunity to work through some light-hearted exercises based on simulated scenarios.
Rule 2: Put in place an email filtering solution
The vast majority of social engineering attacks are carried out via email. Therefore, a good email filtering solution can neutralise some of these attacks before they even reach users’ inboxes. Such solutions can scan the content of an email before it is received, and detect any corrupted attachments or links.
Rule 3: Implement strong data governance
Data governance is a set of processes and policies that are put in place to ensure that important data assets are formally managed. It helps make it clear to employees exactly what data they are or are not granted access to. Various levels of access should be implemented, making sure that only those who need to work with strategic and confidential files have access.
Some social engineering attacks are not carried out to breach the company’s IT systems, but simply to encourage one of the employees to perform an action such as making a bank transfer or sending confidential files or bank details to an external party. In this type of scenario, good data governance can add another layer of protection because the targeted employee will not necessarily have access to the data. The attacker would either lose interest and move onto the next target, or be forced target other employees, thereby maximising the chances of someone discovering the attack.