Social engineering is a malicious data theft technique built on one thing – trust.
First, the perpetrator works to gain the trust of the target – and this could be through myriad techniques – both digital and face-to-face. Social engineers gain people’s trust, tricking their way into buildings so that they can walk out with physical documents, flash drives, servers or even laptops in hand. Alternatively, they may develop that trust entirely digitally, purporting to be from a known or reputable organization, or getting in touch with a credible query.
Once that trust is built, social engineers are in a powerful and sinister position. They will hone in on a target, devise the communication they will naturally respond to using all the right language, and get what they want without the target even noticing they’ve given it away.
As such, defense against social engineering techniques needs to be built around stringent frameworks for gaining and maintain trust in your colleagues, customers, and all third parties you work with. But how can you achieve this?
Training combined with technology
First, staff need to receive ongoing, dynamic training which actively responds to the evolving threat landscape, so they are empowered to recognize typical signs of social engineering and to ‘distrust by default.’ In person, this means training security personnel to recognize signs such as identity or access cards that have been forged or tampered with.
Digitally, it means training all personnel – particularly senior management, who are likely to be the targets of so-called ‘whaling attacks,’ to recognize signs such as suspicious email requests. For example, Barracuda analysis has identified the most common subject lines used in targeted phishing emails by cybercriminals, including ‘Request,’ ‘Follow up’ and ‘Urgent/important.’
Of course, simply screening out all such emails is a blunt technique which will result in important and legitimate content being missed. Staff awareness needs to be combined with more specific actions. We recommend, for example, tagging emails which arrive from outside your organization, so that warning flags can be automatically raised when social engineers are pretending to be from inside. Likewise, staff should be encouraged never to click on links in emails and instead visit sites directly.
Training also needs to be combined with technical protections such as vulnerability scanning and sandboxing. This can be challenging, and if you have multiple security technologies in play, you will need a single vulnerability management platform or tool to consolidate the results from all these and offer you a single pane of glass view into the incoming content arriving at your organization.
Third-party risk management solutions can also play a key role in screening incoming content, by automating the risk analysis of your major vendors, partners and suppliers, and ensuring that content arriving from those sources is automatically trusted.
Testing and verification
Getting all of those protections in place is just one part of the puzzle, however. Next, you need to test how robust those protections are by undertaking ethical social engineering as a simulation technique. This is the only way to verify how effective both your training and your technologies have been. If a social engineer on your own side can trick a staff member into keeping a door open for them, clicking on a compromised link or opening an infected attachment, then so too could a malicious party.
You also need to consider the trust that your own partners and customers place in you, and the risk of malicious actors purporting to be from your own organization. Combat this by being clear and upfront about your risk management and compliance processes – you must demonstrate clearly and actively how seriously you take cybersecurity and risk management. Trust is a two-way street.
An integrated approach
Above all, an integrated approach to risk management – considering both the trust you place in incoming content, and the trust your partners place in the content you send out – is essential.
This, and other aspects of how to guard your organization against the threat of phishing, are discussed in our recent webinar hosted by Cybersecurity Operations Director, Luke Potter. Click here to watch now.