For all the technological protections you install; for all the access-control policies you put in place; the most problematic part of defending corporate security still comes from staff who are proving to be putty in the hands of resourceful hackers using creative approaches to social engineering to boost the efficacy of their attacks.
Social engineering’s reliance on personal information used to mean that hackers had to work a bit to collect useful information. These days, what used to take hours can be accomplished in minutes thanks to data-matching services like Spokeo and PeekYou, which already derive a frightening amount of personal information by cross-matching public records. And employees are filling in the gaps by posting personal information on Facebook or meticulously documenting current work projects on LinkedIn.
If you think hackers won’t notice when the CEO posts on Twitter that she will be travelling overseas for the next week – a signal to resourceful attackers that it’s a great time for a business email compromise (BEC) attack – you’re managing your security by desperate hope rather than hard reality.
And the hard reality, as the Nuix Black Report – comprised of interviews with 70 white-hat and black-hat hackers during the recent DEFCON hacker conference – is that 84 percent of the surveyed hackers said they use social engineering as part of their attack strategy. Fully 88 percent of the respondents to that survey said they could compromise a target in less than 12 hours.
Perhaps more telling was the finding that just 52 percent said employee education was an extremely important countermeasure to their efforts. This low figure is a bit of chest-beating from potential attackers, suggesting that they will find the information they need to breach your company whether employees know about it or not.
CSOs considering the best way to teach employees about social engineering might want to encourage the watching of the TV series Mr Robot, for whose protagonists social engineering comes as naturally as breathing. But apart from that, what can the average CSO to do to prevent social engineering?
Instructions about proper social-media use are a great place to start. Most employees are haphazard with personal information and don’t think twice about posting updates or pictures that tell more than they should. Photos of the workplace, colleagues, significant others, or even their hobbies and pastimes are a gold mine for hackers collecting information for use in a social-engineering hack.
The same goes for comments about projects they are working on, screen shots of complex code, whatever: too many employees broadcast their thoughts to the world without considering that the world may indeed be watching. Even LinkedIn has become a weak point because employees tend to use it diligently to maintain their CVs and to link to their colleagues and customers. This makes the service as vulnerable to social engineering as detailed blueprints would make a bank vulnerable to being robbed.
Teach employees to be circumspect in their sharing, and consider implementing policies to punish sharing of information about company events or projects on social information. It may be worth setting up and promoting a secure and auditable chat tool like Slack, then mandating that any information about such topics be limited to that platform.
Also consider assigning one or more staff members to proactively audit the social-media trail left by employees – perhaps scaring them into action by building dossiers on them based entirely on information gleaned from online sources. This is particularly important for executives whose jobs authorise them to perform business functions. Procurement managers, for example, make a tasty target for BEC (‘whaling’) instigators because they likely have the authority to transfer funds without extensive oversight.
In theory, compliance and governance requirements have already driven every business to protect themselves against compromise through unauthorised financial transactions. Yet the runaway success of BEC – which is causing CEOs like FACC’s Walter Stephan to be fired and companies to suffer considerable and material loss and was last year blamed by the US FBI for causing $US2.3 billion ($A3 billion) in reported losses between 2013 and 2016 alone – confirms that many companies either don’t have preventative policies in place, or aren’t following them.
This is a fault of corporate governance but responsibility for preventing such attacks may well fall into the CSO’s lap because business people intrinsically blame them for email-related issues. Here, it’s important to engage with business line leaders that understand current and best-practice approval practices.
Social-engineering attacks may start with online information, but they often escalate into the real world. This presents an even bigger challenge, since protecting against that part of the attack may fall into the portfolio of physical-security business units that may not have anything to do with IT on a regular basis. This means that security screeners welcoming staff and guests, for example, may have no idea that a particular employee has been a bit too prolific in sharing personal information and may be a target for hackers.
Careful CSOs should reach out to other parts of the corporate security apparatus to, for example, be able to flag particular employees so that extra identity checks are triggered whenever an entry or exit occurs. An employee who has just been terminated, for example, must have his access to the building disabled immediately and security put on warning for anyone subsequently claiming to be acting on their behalf.
Recognising the fact that a robust security defence requires better integration between the physical and virtual security worlds, some vendors have begun linking or combining the two to build physical security information management (PSIM) systems that will increase unity between the two operational spheres.
It may also be worth considering monitoring tools that regularly screenshot user activity, to know what they are and aren’t sharing.
Many companies are increasing their risk of social engineering just because data aggregation as part of their business, or as part of the legislated monitoring activities of third-party organisations, is creating ever more-appealing honeypots targeted by well-funded hackers using social engineering.
The Information Security Forum (ISF) recognised the growing risk to information integrity as one of the nine biggest information-security threats through 2019, noting that “motivated attackers will quickly recognise the value of this data, know where it is and how to get it, and have the capability to analyse, interpret and exploit it.”
ISF recommends that CSOs ensure they are aware of all potential third-party monitoring that may be going on, and engage with communications providers to proactively manage that risk. After all, the social-engineering threat isn’t only about your employees – but also about the employees of third parties that have information about your business.
Topspin Security recommends that security-conscious companies augment their network with a range of hacker traps, lures, and honeypots – including decoy data sets designed to attract and confuse hackers – and reported that a test capture-the-flag type experiment with 50 professional hackers proved extremely successful in deceiving and detecting intruders.
However you go about it, it’s never too early to take steps to minimise your exposure to social engineering. Evaluate your procedural defences and test your employees regularly to make sure that you discover any deficiencies before malicious hackers do. Tighten business processes that should already be in place – restrictions on transfers of funds without multiple signatures, for example – and others will emerge as potential vulnerabilities are workshopped or discovered.
Learn to think like a hacker and leave no stone unturned in considering ways an attacker could exploit your organisational structure to access your data. No matter what it involves, stay on the front foot to protect against social engineering: as the Nuix Black Report respondents unanimously pointed out, once someone has accessed your data, it’s gone. As in, gone gone.