In today’s information security environment, great technological strides have been made in the areas of network protection, data encryption, intrusion detection, and response. However, you can’t put firewalls or IDS controls on a human being – and hackers are well aware. This is why social engineering is both extremely ubiquitous and extremely successful.
Social engineering attacks seek to obtain malicious access to systems via manipulating human behavior to facilitate the compromise of legitimate authentication and authorization credentials. In short, I, the hacker, will fool you into clicking a link that will send me your login information, or verbally convince you to pass along sensitive information over the phone.
We previously discussed some of the more common attacks, but in this post, I’d like to focus on some methods an organization can employ to defend against such attacks.
Education
Anti-social engineering training is one of the most effective ways to combat these attacks. The training should focus on the current attack methods with actual examples and lessons on how to spot the illegitimate aspects of the attack.
Another key component of an effective training program is having actual members of the organization that have fallen victim to a social engineering attack share their experiences and discuss what induced them to fall for the malicious requests.
Many organizations are also employing artificial phishing campaigns as a form of training. Utilizing a controlled attack methodology allows for identifying employees who seem to be more susceptible and may require more extensive training.
Multi-Factor Authentication
Implementing multi-factor authentication (MFA) is an effective way to protect sensitive data. Multi-factor authentication requires another level of identity validation beyond just a username and password. This is commonly applied via a text message to user’s phone, or an approval request to an app on a user’s phone. The key is, even if a user gives up their login information, sensitive data can be further protected by requiring that an additional level of authentication (that cannot be manipulated by the hacker) be required for access.
Anti-Social Engineering Technologies
There are many platforms offering anti-malware, web site filtering and anti-spam capabilities. These can help prevent phishing attacks from ever reaching a user. And while they are effective, the attackers tend to be one step ahead of these technologies and are constantly evolving their attacks to subvert these protections.
Summary
Social engineering will remain one of the most effective ways to gain malicious access to information and systems. While attackers are evolving their approaches, a robust training regimen and the appropriate implementation of targeted technologies can reduce a company’s exposure.
To learn more, be sure to join us on Thursday November 8th at 1 PM CST for our UPCOMING security webinar, PeopleSoft & Social Engineering Attacks: Common Techniques & How to Prevent Them.