Social engineering attacks focus on convincing individuals into bypassing security procedures to gain unauthorized access to systems, networks and data, usually for financial gain. As a first step in larger cyberattack operations, social engineering tactics
can create large-scale damage by infiltrating systems, stealing sensitive data or releasing malware. This piece details social engineering best practices, providing guidance to prevent attacks and recommending ways to mitigate them.
Prevent and Mitigate Social Engineering Attacks
While social engineering is a human-centered form of attack, preventive measures must address not only people, but policy and technical controls as well across the organization.
1. Establish Companywide Policies and Procedures
Even a strong cybersecurity culture is not as effective without policies and procedures in place to provide documented guidance and enforce behaviors. Just as every employee is a potential target for social engineering, every policy and procedure should
consider potential social engineering vectors and provide specific guidance on steps to take to avoid a successful attack. Important examples include:
- Physical access:
- Enforce visible employee badges for entry and while inside organizational facilities, but ensure employees do NOT wear badges outside facilities to prevent providing a malicious actor with information such as name and place of employment.
- Implement a clear process for obtaining a temporary or replacement badge and enforce validation of current employment as a prerequisite to receiving one.
- Require valid badge swipes for every person to avoid tailgating (i.e., when an unauthorized person “tailgates” or “piggy backs” into an area with an authorized person).
- Ensure employees know how and when to report the presence of an unauthorized person.
- IT:
- Never reset passwords without visible evidence the person requesting the password reset is the employee (this can be done via video conference).
- Require independent approvals for new access or escalation of privileges.
- Perform regular audits of accounts and access levels.
- Specify requirements for asset disposal to ensure devices and documentation cannot be compromised via dumpster-diving.
- Finance:
- Prohibit the change of bank account information or wiring of money without independent verification via a known-good communications mechanism (i.e., do NOT accept an account change request via an email without calling the phone number on the original
contract to verify validity of the request).
- Require a second set of eyes to approve account changes and wire transfers, no matter how urgent the request.
- Legal:
- Classify organizational data and documentation in a way that makes it clear how sensitive the information is and how it should be handled.
- Cybersecurity:
- Perform penetration testing that includes social engineering attacks.
2. Train Employees Appropriately
Once policies and procedures are established, it is critical to distribute them and have employees trained on the most important elements. General employee training should cover key concepts such as:
- Understanding common ploys and scams used by social engineers. This should include:
- How to identify a phish and the common tactics of urgency and authority used in them.
- Being aware of social engineering attempts via social media such as LinkedIn, Twitter, Reddit and other forums.
- Staying alert in social settings for people who show a lot of interest in your work – especially at restaurants, bars, gyms and stores employees tend to frequent.
- Always following policies and procedures (see previous section). This should include:
- Verifying information using official sources.
- Knowing how to report suspicious behaviors or actions.
- Practicing good cyber hygiene. For example, users should:
- Not share or use a password for multiple accounts.
- Use ONLY corporate devices and accounts for official organization business.
- Never open emails and attachments from suspicious sources.
- Be wary of tempting offers (such as gift cards or gossip) or messages that incite urgency or fear.
- Never reveal passwords or login credentials to anyone – even IT does not need them – EVER!
- Make sure the URL is correct when entering details on a website.
- Never open strange-looking files or attachments.
- Use MFA and VPN services to protect your identity and your communications.
3. Put Effective Technology Backstops in Place
Even organizations with comprehensive policies and procedures and well-trained employees have been the victims of social engineering. The third element of preventing and mitigating social engineering attacks is technology.
Some effective technologies include:
- Threat intelligence capabilities that monitor the internet and dark web for compromised employee credentials or sensitive organization data. These services can also include monitoring for domain impersonation. For example, if the organization’s
website is www.website.com, an attacker may register www.vvebsite.com (using two Vs rather than a W) as a way to get someone to click on a malicious site.
- Email security capabilities that monitor for and quarantine malicious content in an email. Websites can also be tested before being released into email inboxes. Keywords can also be noted and used to alert cybersecurity teams or business unit leadership
to validate email content. For example, any email to the finance team that contains the words “urgent” or “change account” could alert finance leadership to ensure no actions are taken that could result in a payment to a malicious
actor.
- Email approve- and deny-listing for organization leadership and administrators to ensure malicious actors cannot impersonate them. For example, if the CEO is Julia Broadwater, the IT team can approve-list only the personal email addresses Julia tells
them are valid. All similar addresses can be deny-listed and quarantined. That way, if the CEO’s real personal address is jbroadwater@gmail.com, but the CFO receives an email from j_broadwater1@gmail.com with a request, the email will be quarantined.
- Vulnerability and patch management ensure organizational devices are kept up to date with the latest security patches to thwart attacks that use known vulnerabilities
READ: How to Create an Effective Anti-Phishing Program
Social Engineering Response and Recovery
Even if your organization has a well-balanced social engineering prevention program, you may still be successfully attacked. A good defense-in-depth strategy must include not only prevention, but response and recovery as well.
For example, organizations should create:
- Policies that encourage and reward employees who report social engineering attacks, even after they occur.
- Comprehensive and detailed procedures for incident response, including containment, eradication and recovery steps. These must also have instructions on how to classify and who to notify based on the severity of the incident.
- Post-incident reports and documentation to evaluate the root cause, identify weaknesses in the program and recommend remediation measures.
READ: How to Advance Your Phishing Program to Address Ransomware
Social engineering prevention and mitigation must cut across people, process and technology to be effective. While training users to be vigilant and aware is critical to preventing attacks, it is also important to have well-documented, easily accessible
ways to report social engineering attacks, in addition to technical controls that supplement training and provide automated policy enforcement.
Employee education is the first line of defense against social engineering. If the entire organization is aware of potential threats, your security strategies will be much easier to implement.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.