Endpoint

8/6/2018
10:30 AM
Larry Ponemon
Larry Ponemon
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

IT Managers: Are You Keeping Up with Social-Engineering Attacks?

Increasingly sophisticated threats require a mix of people, processes, and technology safeguards.

Social-engineering attacks are no longer the amateurish efforts of yesterday.

Sure, your company may still get obvious phishing emails with blurry logos and rampant misspellings, or the blatantly fake "help desk" calls from unknown phone numbers, but more sophisticated attacks are becoming the norm.

Using both high-tech tools and low-tech strategies, today's social-engineering attacks are more convincing, more targeted, and more effective than before. They're also highly prevalent. Almost seven in 10 companies say they've experienced phishing and social engineering.

For this reason, it's important to understand the changing nature of these threats and what you can do to help minimize them.

Know the Threat
Today's phishing emails often look like exact replicas of communications coming from the companies they're imitating. They can even contain personal details of targeted victims, making them even more convincing.

In one incident, bad actors defrauded a U.S. company of nearly $100 million by using an email address that resembled one of the company's vendors. And in the most recent presidential election, hackers used a phishing email that appeared to come from Google to access and release a top campaign manager's emails.

Bad actors can get sensitive data in many other ways. In one case, they manipulated call-center workers to get a customer's banking password.

Another way is to target data that's visually displayed on a laptop or mobile-device screen. For example, a bad actor could pose as a trusted vendor in an office or a business associate in a foreign country and subtly capture data with a smartphone or hidden recording device.

A Three-Tiered Defense
Given the prevalence and advanced nature of social-engineering threats, your privacy and security measures should cascade across three key areas: people, processes, and technology.

Some measures to consider using in each area include:

1. People: Provide ongoing training to educate workers about social-engineering threats, and procedures for preventing or responding to them. Employees who regularly handle sensitive information are more likely to be targeted — including HR, sales, and accounting workers. They should be your company's most knowledgeable workers about threats and procedures — and should be fully engaged to help identity threats.

For example, encourage workers to use the "Report email" or "Report as phishing" icons that can be enabled in Microsoft Outlook. The service provides an easy way for workers to report suspicious messages so IT can take steps to mitigate their impact. IT managers can also monitor the use of the icon to statistically track worker awareness and engagement.

If your company has separate IT and security teams, make sure there is a clear understanding about who is responsible for managing social-engineering threats. Any misunderstanding between these parties can lead to security gaps and a lack of accountability if an attack occurs.

2. Processes: Policies that encourage workers to not click on suspicious links or provide information to outside organizations go without saying. But make sure you also have procedures for workers to give you details about attempted attacks. This can help you investigate suspicious emails, URLs, and phone numbers, and better understand your vulnerabilities.

As you review and refine your policies, always aim for simplicity. Overly complex security protocols can be too much for workers to remember and can fail.

3. Technologies: Security-perimeter controls like antivirus protection and intrusion-detection/intrusion-prevention systems remain vital. Also, use security intelligence tools to understand your security ecosystem and the potential risks you face. And encrypt data to make it unreadable, even if it's stolen. 

All laptop and mobile-device screens should be fitted with privacy filters. The filters black out the angled views of screens to help office workers and business travelers safeguard data from onlookers or even cameras.

Keep Evolving
A strong defense against social-engineering threats requires more than training and educating workers. You and your IT team must be vigilant about emerging threats so that as they evolve, your security and privacy measures evolve with them.

Related Content:

 

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info

Dr. Larry Ponemon is the chairman and founder of Ponemon Institute, a research think tank dedicated to advancing privacy and data protection practices, and a privacy consultant for 3M. Dr. Ponemon is considered a pioneer in privacy auditing and the Responsible Information ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BrianN060
100%
0%
BrianN060,
User Rank: Ninja
8/7/2018 | 1:27:58 PM
Re: Why do social engineering attacks continue to succeed?
"There is an area of corporate responsibility that is largely neglected..." True, but don't leave out personal responsibility.  It's not all up to corporations or the government (and in a democracy, aren't we the government as well as the governed?).  There's also the aspect of corporate policies in hiring practices.  If they don't hire people of integrity, willing to take responsibility, they'll get what they deserve. 

The prevalent concern of finding qualified people to fill positions plays a role - stop prioritizing degrees, certifications and experience in someone else's organization; do your own aptitude testing and hire people you can train to do what your organization needs doing.  If you start with good people who want and know how to learn, you've got a real human resource, not just an HR commodity.  The solution to social engineering challenges isn't artificial intelligence, it resides in the ability of individuals to distinguish fact from fallacy, reason from rhetoric. 

Want a good way to test your people's ability to recognize a social engineering attack?  Have them watch the political ads in this election cycle.  If they can't spot all the techniques used to manipulate perceptions there, they wouldn't know an SE attack if it painted itself purple, and danced naked on top of a harpsicord singing "Social engineering attacks are here again!" (to paraphrase Edmond Blackadder). 
REISEN1955
0%
100%
REISEN1955,
User Rank: Ninja
8/7/2018 | 7:14:04 AM
Re: Why do social engineering attacks continue to succeed?
Now we have a new threat....among about 520 other threats.  I am beginning to believe it is impossible for IT managers and staff to keep up with the invasive techniques of hackers and threat actor groups.  All they have to do is sit around and THINK about ways to penetrate a network - and then do it.  Time is on their side and we are generally reactive to their threats.  It is a CATCH-UP game forever.  Which is depressing if you think about it.  AI will help over time and we have good tools now that catch some, not all, threats.  That is probably the BEST we can do.  We cannot catch everything, we will just have to try to catch whatever we can and keep at it.  
Dave Moore
100%
0%
Dave Moore,
User Rank: Apprentice
8/6/2018 | 7:49:04 PM
Why do social engineering attacks continue to succeed?
There is an area of corporate responsibility that is largely neglected, but represents one of the most pressing issues in the world today: the need to teach the underserved public-at-large how to be safe on the Internet.

We have $600 billion in cybercrime because effective education of the general public in Internet safety is virtually nonexistent. Society has not been taught how to avoid online scams. Internet criminals victimize millions of people every day, knowing they do not know how to defend themselves. To quote H.G. Wells, "Civilization is in a race between education and catastrophe."

The Internet Safety Group is doing something about it TODAY. Nobody else is doing what we are doing: providing understandable, actionable, motivational LIVE Internet safety community training for everyone.

Please visit the Kickstarter page
<a href="https://www.kickstarter.com/projects/1274121448/fight-the-internet-bad-guys-and-win?ref=nav_search&result=project&term=internet%20safety">
Internet Safety Group Fight The Internet Bad Guys & Win!

And look. Consider. Contribute. Get involved. Share the word.

Thank you!

Dave Moore
WSJ Report: Facebook Breach the Work of Spammers, Not Nation-State Actors
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/19/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator &lt;= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an &quot;Update Profile&quot; &quot;Change Picture&quot; (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.