Cyber criminals will use any means available to get your information or you money – both, if possible. They are performing technical attacks against every device connected to the internet, probing for vulnerabilities, bad configurations or poor security. It does not matter the size of your organization; whether you are Fortune 500 company with 2,000 employees or if you are startup with only three employees, you are at risk of being under attack. But cyber criminals are also using another kind of attack to take advantage of our natural tendency to trust.
Cyber security professionals refer to these as social engineering attacks, but they are really the same confidence scams that are as old as human history.
Phishing emails are the technique most of have seen; they are designed to get you to click on a link, launch an attachment, call a phone number or make contact with a con artist. But did you know social engineering can involve phone calls, fake web sites, emails targeted at specific personnel and even physical activities? If you research social engineering, you will see terms like:
- Spear Phishing (targeting specific individuals)
- Shoulder Surfing and Tailgating (bypassing physical security controls)
- Pretexting (invented scenarios to take advantage of the victim)
- Baiting (offering something they cannot resist)
- Quid pro quo (helping someone solve a problem, while taking advantage of them)
- Credential Collecting Site (a fake site tricking the victim into entering their credentials)
- Ransomware (malware that holds your data hostage until you pay the ransom)
Some of these are petty criminals looking to make a quick buck by stealing your credit card information, selling your identity or charging you for fake merchandise or services. The really dangerous criminals want access to your network, computers and applications so they can drain your bank account, steal trade secrets or take advantage of your employees.
Protecting yourself from cyber criminals can be challenging, but here are a few ideas to reduce the risk from social engineering:
- Knowledge – Understand your environment, what information needs to be protected and how it is protected.
- Internal Controls – Implement internal controls to protect your financial systems from fraudulent transactions, or at least detect them if they occur.
- Training – Take time to train your team about Social Engineering. Not just the daily phishing emails, but all forms of social engineering and who/how/when to report suspicious activity.
- Culture – Encourage a culture where it is okay to report potential attempts – even the “I may have clicked on something” reports, so you can reinforce training and identify issues early.
- Technology – Many technology solutions exist to help with everything from inspecting emails for attachments and links, to blocking connections to malware sites, requiring strong authentication and logging security events. The key thing to remember is technology is part of the overall solution; there is no silver bullet.
- Vigilance – Make the effort to evaluate your security, test user knowledge and assess the people, process and technology environment on a regular basis to determine where updates, changes, or new solutions may be needed. An ongoing process is critical to maintaining security.
Technology advances continue to break down geographic barriers, enable new business opportunities and improve our efficiency, but they also increase our risks. Social engineering attacks take advantage of the technological advances while exploiting the weak points in our defenses, our people. The threats are present and the risks are real, so address them using the appropriate combination of the recommendations above that fit your environment. While there is no silver bullet, there are many ways to reduce the risk for your organization using the right combination of people, process and technology.
Rob Rudloff, CISSP-ISSMP, MBA, is Partner-in-Charge of the Cyber Security Risk Services at RubinBrown, one of the nation’s top 50 accounting and business consulting firms. He specializes in application and network security vulnerability and penetration testing, security policy and procedure support, security posture reviews, mitigation support and architecture development. Rob has more than 20 years of IT security experience as an Air Force officer, consultant and Chief Information Security Officer.