Train your staff to identify and take action to prevent social engineering attacks.By: Michael Maughan (CISSP, QSA)
When you think about a hacker you might imagine dark basements, coding on the fly, and lots of wires and cords. But more often than not, data breaches are the result of an attack that takes advantage of our inattention and naiveté: social engineering.
These days, social engineering is used in more than 66% of all attacks. Solo hackers and nation states alike employ tactics meant to trick, coerce, and manipulate individuals into giving them access to what should be secure data. Often, all the hackers need to do is find an unsuspecting individual who doesn’t follow protocol in order to be helpful.
Since this problem isn't technically sophisticated, the solution to protect against social engineering isn’t either.
Safeguarding against social engineering attacks involves awareness training for your staff, especially anyone with access to your card data environment (CDE) or can impact your CDE's security. This includes developers who have credentials to push code live, accountants who have access to process credit card charges and chargebacks, security personnel who monitor the activities and access into the server room of a data center facility, and even janitors who have unmonitored access to an entire building.
Social engineering awareness training can be simple and cost effective. Employees need to be reminded and informed about company policies and procedures that prevent social engineering attacks, as well as observe what social engineering attacks look like.
SEE ALSO: Employee Security Training: Tabletop Exercises
Common Social Engineering TacticsFirst off, train employees to recognize the following scenarios:
The Dumpster Dive: If you don’t shred sensitive documents (like order forms, invoices, phone lists, calendars, or software information), someone could go through the garbage and discover cardholder data, personal information, and other sensitive data.
Hard drives and devices shouldn’t be discarded without following proper data destruction procedures.
The Pointed Question: A social engineer might pose as someone needing assistance that asks follow-up questions seemingly out of curiosity, but really has malicious intent.
Any information given can then be used for more informed social engineering attacks. With a trove of highly relevant information, an attacker can understand the nature of your secure environment, the hardware and software involved, the roles and responsibilities of those working in your secure environment, and what habits and tendencies employees follow in certain situations.
With this understanding, a malicious person can craft a custom attack vector that won’t get noticed until it’s too late.
Fake IT Employee: A social engineer could pose as IT support, flash a fake ID tag, and inform the front desk they're there to fix a problem. If they're led to the customer data center cabinet, there's the potential that they could gain access into it and do all sorts of malicious activities to the hardware.
Changing Passwords: One common tactic is for a social engineer to call the help desk, pose as someone of authority (a manager), and say they need to change an employee’s username and password.
The Name-Drop: Be aware of those who approach IT support and mention their supposed supervisor’s name as an effort to circumvent standard procedures in order to gain access to something they don’t have permission to access.
The Relaxing Conversation: If a staff member seems suspicious of an attacker, they might start casually talking, joking, and building a rapport with that staff member. Once trust is gained, the social engineer will ask for a favor to circumvent some control or process in such a way that makes an employee feel bad if they don’t permit it.
Fake Staff: A social engineer dresses and acts like an employee (wearing company uniform, ID tag). If nobody stops them to check their ID tag, they can steal valuable data, such as passwords written down on paper, take laptops, and install malware while walking around.
You should also be aware of people who appear lost in the building, such as a package or mail delivery person asking where a specific employee’s office is.
Tailgating: A social engineer shows up with hands full (boxes of donuts, coffees), and asks an employee to hold open a door into restricted areas. This also applies to those who may try to coattail you through a data center mantrap without swiping their badge.
New Hire: A social engineer pretends to be a new employee, then asks to be given a tour around the office where they can gain access to information and systems.
SEE ALSO: 6 Steps to Making an Incident Response Plan
5 Tips to boost your social engineering training1. Get creative about trainings. Best practice is to have regular, mandatory trainings for existing employees (e.g., monthly or quarterly) and as part of the on-boarding process for every new hire. If you don’t feel comfortable leading trainings, you can outsource to an experienced trainer.
Successful training incorporates a variety of activities that teach how to identify social engineering attempts. Share stories, act out scenarios, hold drills, run tabletop exercises, and use relevant video clips and training materials.
2. Create a corporate policy that employees can understand. Use real-life examples and references your staff can apply in practice. Avoid lengthy, technical documents that are difficult to read and apply to everyday work routines.
Give employees direct instructions that apply to your specific workplace. For example, tell employees to send suspicious and potential phishing emails to email@example.com, or alert a manager if they feel they're encountering or have encountered a social engineering situation.
3. Make social engineering a part of everyday conversations. Infuse social engineering information into every security message that goes out to employees. Keep communication lines open and accessible. Make sure employees remember that safeguarding company data is part of their job, even when they're not in the office. Sharing information on social media, through phone calls, and in person should be done with security in mind.
4. Put staff to the test. You can start a red team task force to conduct secret “social engineering” operations to see how your employees respond. You can also outsource this; some security professionals offer social engineering testing services as part of their penetration testing program.
The task force can do things like: take badges and credentials left in unlocked cars, pose as janitorial staff, and attempt to access a secured room without a badge. They can also pose as an IT professional that needs to fix the network and see how close they can get to the server room before someone stops them. The red team could even attempt to clone an employee’s badge access card.
5. Encourage a questioning culture. Promote good judgement and healthy skepticism. Help employees feel empowered to question why someone is visiting the company or why someone needs to bypass normal safety protocol. Here are some examples of questions they might need to ask:
- “Can I see your ID please? Hold on for a second while I verify your clearance.”
- “No, I’m sorry but you can’t use my ID. Where’s yours anyway?”
- “I’m going to have to talk to my manager about giving you that information.”
Stop the attacks dead in their tracksSocial engineering remains a successful attack vector for many data thieves. Give your employees a strong foundation of education, and empower them with real-life skills to stop social engineers from getting past security controls and procedures.
If you make social engineering training a part of your regular security awareness training schedule, your staff will be more equipped to prevent successful social engineering attacks.
Michael Maughan (CISSP, QSA) is a Security Analyst at SecurityMetrics and has been in IT for 18 years. He has a Bachelor of Science in Applied Physics from BYU and is an avid college sports fan.