- Security TWENTY
- Women in Security
John Donegan, Enterprise Analyst at IT management software company ManageEngine, offers ten ways to stay protected from social engineering attacks.
Despite all of the cybersecurity innovations that continue to evolve, enterprises can still come under threat. That’s because humans represent the weak link in your cybersecurity measures. From sharing files to responding seemingly urgent requests from strangers, to revealing sensitive information, there are plenty of ways your employees can unwittingly give cyber criminals the data they need to fuel a cyber attack. Social engineering is the practice of subtly tricking employees inside a business into divulging sensitive information that should be concealed and safeguarded from external view. This is a common method for cybercriminals seeking entry points into an enterprise’s system. At last year’s Security Fest conference, SocialProof Security CEO Rachel Tobac highlighted this, saying “The majority of cyberattacks now start with social engineering”.
While helping companies bolster their security initiatives, Florida-based security awareness trainer Danielle Major frequently performs social engineering attacks. As Major explains, “Companies hire penetration testers to attempt to break into their computer, website, or physical location to find the vulnerabilities, so that the company has an opportunity to patch and close the holes before the bad actors have a go at it. I go after the human element because it’s the easiest.”
The human element is arguably the easiest for hackers to exploit because so many employees are unaware of social engineering attacks. That said, by employing these ten strategies, you can help keep your enterprise safe.
1. Don’t be fooled by people inquiring about your vendors.
Social engineers frequently contact businesses to inquire about vendors, such as pest extermination, landscaping, and custodial companies. According to Major, “It’s basically calling up and having a conversation with somebody, and eliciting seemingly innocuous information out of them, like ‘Who’s your janitorial service?’, ‘Who’s your caterer?’, and questions like that. If I know your carrier is FedEx, I can send you malware if I disguise it as a FedEx receipt.
2. Avoid tagging or naming your vendors on social media.
Publicly airing grievances about vendors on Twitter can be cathartic; however, bad actors can use pest extermination companies, shipping companies, or other vendor information as fodder for future attacks.
3. Refrain from posting photos of your workstation on social media.
As they simulate the work of real-life hackers, physical penetration testers often use social media as a starting point. Tobac says, “In general, I find about 60 percent of the information that I need to infiltrate a company through Instagram alone.” After scrolling through geotagged posts, Tobac examines pictures of workstations in search of vendor and software information; seemingly innocuous things like a UPS package or a Slack icon on a computer monitor can become attack vectors.
4. Be aware of the information people can garner from online searches.
Hackers commonly scour the internet for information they can use in social engineering endeavours. For example, they often try to establish rapport by using information gleaned from social media and search engines.
5. Regularly check to see if you are tagged in other people’s social media posts.
Even if you personally don’t have social media accounts, you very well may be tagged in some of your colleagues’ posts.
6. Be especially wary of urgent requests.
To garner sympathy, social engineers often pretend to be frazzled and in a rush. During voice phishing initiatives, some hackers will play sounds of babies crying in the background, or they’ll incorporate sounds of airplanes taking off while pretending to catch a flight. Particularly brazen social engineers will actually enter offices in order to garner information about vendors—or even to slip malware into a USB port. As Major explains, “You have to protect your website, your network, and your firewalls, but really and truly, the physical portion of it is low-hanging fruit. There are various ins there. Getting inside and planting things in the network. Or planting a bug in the office. Or getting to somebody’s laptop. […] All they have to do is get to a USB port.
7. Be wary of people who are authoritative and purposeful in action.
Social engineers will often be apologetic and quick with excuses should something seem out of the ordinary. They’ll often have their hands full with clipboards and other props.
8. Check employees’ badges closely.
Physical penetration testers will frequently create their own badges, so be on the lookout for badges that don’t look quite right.
The next two tips may seem obvious; however, we’d be remiss if we didn’t include them in our list:
9. Ensure your laptop is locked when you’re away from your workstation.
10. Never open emails or attachments from sources you don’t recognise.
By practicing these steps, you can keep your organisation safe from social engineering attacks.