Discover PerformanceHP Software's community for IT leaders // April 2012
The human element: 4 defenses against social engineering
Socially engineered attacks are still one of the most successful means of penetrating organizational security. Learn how to beat the bad guys at their own game.
Broad consumer-targeted "phishing" attacks usually aren't particularly clever—do you really think that guy in Nigeria will share his millions with you?—but similar attacks targeted at businesses can be far more sophisticated. Forcing employees to make quick decisions, such as opening a secured door or sharing sensitive information "or you'll be fired," is a very common tool used against companies; and it is probably the most successful method of corporate attack.
Often, larger companies are particularly vulnerable to scammers. With more employees, scammers have more opportunities to operate without detection and less risk that made-up names and authorizations will be noticed by individual targets.
Security investment and involvement is not the issue. At most companies, firewalls, intrusion prevention devices and virtual private networks are in place and tested thoroughly. But no matter how much you've spent and how thoroughly you've tested, these products won't be able to prevent the help desk person from changing your CEO's password if someone impersonating your CEO yells convincingly enough on the phone.
So what's a CISO to do?
Go back to security basics
Social engineers know that it's easier to access a company's sensitive information by using people rather than technology. Beat them at their own game with four measures to harden your weakest link: people.
1. Control information access — First, revisit those old-faithful practices such as "need to know" and "separation of duties." The less information each employee has to share, the less damage they can do when targeted by a social engineering attack. Access controls in software systems help limit the information that any one person can give to a hacker. As a result, hackers are forced to contact more people in order to get all the data they need to launch their attack, making it more likely that they will be detected before they succeed.
2. Create a security response team — These are your "first responders" for social engineering and any other security incident and should have a documented protocol for dealing with all types of attacks. Make sure everyone in the company understands when and how to contact the team.
3. Encourage employees to be distrustful — Train your employees to respond to suspicious requests for information in a polite and helpful way without providing any information, and then to report the incident to the security response team. "Give me your number and let me call you back with that information" is always a great response to a suspected social engineer.
4. Verify the effectiveness of training — Finally, just because you've done training on social engineering doesn't mean it will work in practice. Train your employees how to handle requests for information and then reinforce these behaviors with continuous testing to make sure the message is getting through.
Humans are gullible. We like to help other people. We like to be liked. And for thousands of years, our trusting nature has been getting us into trouble. The Greek story of the Trojan Horse tells us that humans have been suckers for social engineering since about 1200 B.C. More likely, social engineering is as old as humankind. But by simply limiting access to information and thoroughly training employees in how to detect and respond to socially engineered attacks, you can protect your business against this dark art.
Read HP’s report on human-centered attacks, “Defend your business against the dark art of social engineering” (.pdf), and learn more about hardening your organization against all manner of attack, at www.HPEnterpriseSecurity.com.