Pulling it all together – Social Engineering Security Policy

spiro117
w7.pptx

 

Social Engineering Training

Introduction

$6 Trillion: Estimated damage costs of cyber crime annually by 2021

70%: Percentage of cyber attacks that employ social engineering to enable more advanced hacking

$38.5 Billion: The cost of the most expensive computer virus currently on record and was transmitted via a social engineering attack.

84% of attacks are enabled through some form of social engineering

Human Nature Inherent vulnerability

Social Engineering is an inherent part of human interaction. Not all social engineering is nefarious, however from a protection perspective, it can include:

Using influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation

Human interaction (personal, telephonic, digital, etc) whereby a person reveals information they otherwise would not.

Social Engineering and Cyber Attacks

There are multiple components that make up a cyber attack. Understanding these, and how they interact within your organization is the first step for social engineering attack vector recognition that threaten operations and the critical data it contains.

Social engineering is the most prevalent access vector to gain access and enable an attack.

Social Engineering and Time-Tested Techniques

Social engineers use a variety of tools to manipulate their targets. Although the mediums of social engineering have expanded, the techniques employed are proven effective.

In general, people have a tendency to trust and develop a connection with others. Through social engineering, malicious actors are exploiting this vulnerability for a variety of end goals across the spectrum of targets.

Targeting: What and Why

Different threat actors focus on different targets based upon desired end state. Different industries vary on the full scope of their exposure, however all industries have some threat actors and attack vectors in common.

Motivations vary from target and threat actor and range from financial profit, to revenge, to foreign national interests

Targeting: WHO

Malicious actors target different people in different roles for specific purposes. The spectrum of targets experience a variety attack vectors based on assessed access to desired target data. Targets include:

Students

Faculty

Receptionist

Finance

New Hires

Executives

Human Resources

Targeting: How

Bad actors focusing on social engineering have many tools at their disposal. Some leverage bleeding-edge technology while others are more archaic but tried-and-true.

Threat actors will action their tactics based on multiple factors including assessed vulnerabilities, geography, organic skillset, and requisite access based on end goals.

PHISHING: Most commonly used e-mail based acquisition method used to induce a user to unwittingly provide access to critical information

IN PERSON: Direct contact with an individual to gain trust and extract information

PRETEXTING: Using an invented scenario to engage a targeted victim to increase chance the victim divulging information or perform actions that would be otherwise unlikely.

Attack Recognition: Spear Phishing

Phishing and Spear Phishing are e-mail based attacks that are pervasive and effective. The spear phisher relies on familiarity and weaponized it against their victims.

NOTE: Fear for potential disconnection of the user's account as well as potential implications of financial obligation may pressure the user to click the link and likely install malware.

Attack Recognition: Spear Phishing

Spear phishing attacks are becoming increasingly sophisticated and can replicate common communications from trusted sources to appear authentic.

Looking at the actual e-mail address (or hovering over the link to reveal the true address and help stop the attack before it can do damage.

NOTE: The use of urgency and reward

Attack Recognition: Spear Phishing

This recent example plays on familiarity of a trusted business with whom the target may or may conduct current business. It appears legitimate in content with no obvious spelling/grammatical errors

NOTE: Hovering over the link reveals it does not link to ADP, but rather a Russian destination. Clicking on this link would likely install malware.

Attack Recognition: Spear Phishing

The CEO/CFO wire transfer scam netted social engineering criminals billions of dollars in 2016. Attackers conduct extensive research for targeting and rely upon employees to follow instructions from senior leadership. While it takes more effort from the attacker, it is highly effective when researched and executed properly.

Social Engineering: Defense

There are several steps that personnel and organizations can take to further harden their attack surface against social engineering attacks; but steps must be taken by all and reinforced regularly. These steps include:

TRUST BUT VERIFY. When a potential social engineering attempt appears to be in play, externally verify through proper vetting practices and strong communication.

PASSWORD COMPLEXITY. Effective password complexity is essential. Additionally, two-factor authentication is highly encouraged.

AWARENESS and TRAINING. Regular training should be reinforced and in line with best security practices as well as organizational policy guidelines.

COMMUNICATION and VIGILANCE. Always be communicating with others in the organization. Reporting a potential attack is good, but ensure the lessons-learned are disseminated so that others in the organization are sensitized, which will harden your attack surface.

Social Engineering; Final Thoughts

You are charged with the protection of critical data that is under persistent attack from cyber threat actors conducting social engineering to exploit it for nefarious purposes. Take responsibility. Be vigilant.

In the asymmetric cyber landscape, EVERYONE is a gatekeeper of critical information

Security is part of ALL departments and roles within an organization, not just the IT department

Vigilance will result in a more secure organization