Sensing that they are victimized by a social engineering deception
The Need of Security Awareness and Education
While reading about these social engineering tricks, you might think: Why would a cyber criminal waste time attempting to come up with a sophisticated high-tech scam when he knows that the same result (and even such that surpasses his boldest expectations) can be achieved with a much simpler offline swindle?
Presumably, the weakest links in the chain of cyber security is not technological – it is human. And human beings are susceptible to psychological manipulation. Social engineering is not a new occurrence. It has been around under one form or another since the beginning of time (Top 14 Financial Frauds of All Time).
Common scams necessitate the existence of common mistakes. More attention is paid on security infrastructure instead of people, and that is the biggest mistake. As the managing principal research consultant of Accuvant LABS R&D team, Shawn Moyer, attests: “A lot of defenders still think in terms of an attacker on the Internet externally trying to find a way in. …The reality is, if I’m the outside threat, I find an insider and that insider becomes your threat.” The logic suggest that introducing security awareness training for employees is virtually mandatory.
Nowadays, demonstration of a careless attitude by employees (“What do I care, it’s not my data”) is simply unacceptable, according to Chris Hadnagy, an operations manager for Offensive security. “Now, security awareness has become personal for them. It’s not just about protecting their employer’s data but their life,” adds Hadnagy. On the other hand, overdoing security measures is the opposite extreme that might be as damaging as becoming a victim of a cyber breach, because it may impair the good communication between clients and organizations. For instance, while checking links with VirusTotal, which is a free service that inspects links and files for malware, is a proper thing to do when you have a reason to be suspicious, doing so for every link and file can seriously slow down the normal work process. A fine balance must be struck between security and productivity at work.
With regard to employees undergoing security awareness training, Lance Spitzner, director of SANS Securing the Human Program, says: “We’ve done tremendous work to secure computers but nothing to secure the human operating system. That’s why these social engineering techniques are so prevalent. To change human behaviour, you need to educate and train employees, not just once a year but continuously. Like you continually patch computers and applications, you’re continually training and patching human operating systems.” In the same spirit, Spitzner made the observation that employees who undergo periodic security training exhibit better orientation in the event of cyber-threats and are as a whole less likely to become a victim of spear phishing and similar social engineering campaigns.
There are usually always some signs that expose a scam disguised as an innocuous deed. That could be the tone used, the noises in the background, the origin of a link when you hover the mouse cursor over it, etc. Hence, users should pay attention to the details. People who are trained to be security aware have a better chance of sensing that they are victimized by a social engineering deception and contact the security team promptly. Reacting quickly is critical here. To sum up, there is no easy fix for social engineering scams, but proper education could likely give to you and your team what it needs to see it coming.
Reference List
Bisson, D. (2015). 5 Social Engineering Attacks to Watch Out For. Available at http://www.tripwire.com/state-of-security/security-awareness/5-social-engineering-attacks-to-watch-out-for/ (01/08/2015)
Corporate Information Technologies. Social Engineering Detection and Training. Available at http://www.corp-infotech.com/services-solutions/social-engineering-detection-training/ (01/08/2015)
Doctorow, C. (2012). Dropped infected USB in the company parking lot as a way of getting malware onto the company network. Available at http://boingboing.net/2012/07/10/dropped-infected-usb-in-the-co.html (01/08/2015)
Galloway, D. (2011). Open Found USB Drives/CD-ROMs with a Virtual Machine to Avoid Malware Attacks. Available at http://lifehacker.com/5817765/open-found-usb-drivescd-roms-with-a-virtual-machine-to-avoid-malware-attacks (01/08/2015)
Grauer, Y. (2015). For Social Engineering Scams, The Best Security Patch Is Education. Available at http://www.forbes.com/sites/ygrauer/2015/07/09/social-engineering/ (01/08/2015)
Henrique, W. (2013). Baiting Attack Exercise – The Old School Way Still Works. Available at https://www.trustwave.com/Resources/SpiderLabs-Blog/Baiting-Attack-Exercise-%E2%80%93-The-Old-School-Way-Still-Works/ (01/08/2015)
Hobbs, D. (2014). The New Face of Social Engineering and Fraud. Available at http://blog.radware.com/security/2014/05/new-face-of-social-engineering-fraud/ (01/08/2015)
KnowBe4, LLC. What is Vishing? Available at http://www.knowbe4.com/vishing (01/08/2015)
KU Leuven (2013). Identity theft – social engineering. Available at https://admin.kuleuven.be/icts/english/information-security/identity-theft-2013-social-engineering (01/08/2015)
Mosk, G. (2013). Protect yourself Online from Social Engineering and Identity Theft. Available at http://www.domainraccoon.com/blog/social-engineering-and-identity-theft (01/08/2015)
Pontiroli, S. (2013). Social Engineering, Hacking The Human OS. Available at https://blog.kaspersky.com/social-engineering-hacking-the-human-os/ (01/08/2015)
Savage, M. Gaining awareness to prevent social engineering techniques, attacks. Available at http://searchsecurity.techtarget.com/magazineContent/Gaining-awareness-to-prevent-social-engineering-techniques-attacks (01/08/2015)
Secure Thinking Ltd. How to Identify Phone Scams. Available at http://securethinking.co.uk/how-to-identify-phone-scams/ (01/08/2015)
Shimbun, Y. (2010). October 5, 2010: Cybervirus Found in Japan / Stuxnet Designed to Attack Off-Line Servers via USB Memory Sticks. Available at https://311truth.wordpress.com/2014/01/21/october-5-2010-cybervirus-found-in-japan-stuxnet-designed-to-attack-off-line-servers-via-usb-memory-sticks/ (01/08/2015)
Social Engineer, Inc. Vishing as a Service (VaaS). Available at https://www.social-engineer.com/vishing-service/ (01/08/2015)
Social Engineer, Inc. Identity Thieves. Available at http://www.social-engineer.org/framework/general-discussion/categories-social-engineers/identity-theives/ (01/08/2015)
Stanford University (2014). Phishing & Social Engineering. Available at https://web.stanford.edu/group/security/securecomputing/phishing.html (01/08/2015)
Wall Street National (2015). For Social Engineering Scams, The Best Security Patch Is Education. Available at http://www.wallstreetnational.com/for-social-engineering-scams-the-best-security-patch-is-education/ (01/08/2015)
While reading about these social engineering tricks, you might think: Why would a cyber criminal waste time attempting to come up with a sophisticated high-tech scam when he knows that the same result (and even such that surpasses his boldest expectations) can be achieved with a much simpler offline swindle?
Presumably, the weakest links in the chain of cyber security is not technological – it is human. And human beings are susceptible to psychological manipulation. Social engineering is not a new occurrence. It has been around under one form or another since the beginning of time (Top 14 Financial Frauds of All Time).
Common scams necessitate the existence of common mistakes. More attention is paid on security infrastructure instead of people, and that is the biggest mistake. As the managing principal research consultant of Accuvant LABS R&D team, Shawn Moyer, attests: “A lot of defenders still think in terms of an attacker on the Internet externally trying to find a way in. …The reality is, if I’m the outside threat, I find an insider and that insider becomes your threat.” The logic suggest that introducing security awareness training for employees is virtually mandatory.
Nowadays, demonstration of a careless attitude by employees (“What do I care, it’s not my data”) is simply unacceptable, according to Chris Hadnagy, an operations manager for Offensive security. “Now, security awareness has become personal for them. It’s not just about protecting their employer’s data but their life,” adds Hadnagy. On the other hand, overdoing security measures is the opposite extreme that might be as damaging as becoming a victim of a cyber breach, because it may impair the good communication between clients and organizations. For instance, while checking links with VirusTotal, which is a free service that inspects links and files for malware, is a proper thing to do when you have a reason to be suspicious, doing so for every link and file can seriously slow down the normal work process. A fine balance must be struck between security and productivity at work.
With regard to employees undergoing security awareness training, Lance Spitzner, director of SANS Securing the Human Program, says: “We’ve done tremendous work to secure computers but nothing to secure the human operating system. That’s why these social engineering techniques are so prevalent. To change human behaviour, you need to educate and train employees, not just once a year but continuously. Like you continually patch computers and applications, you’re continually training and patching human operating systems.” In the same spirit, Spitzner made the observation that employees who undergo periodic security training exhibit better orientation in the event of cyber-threats and are as a whole less likely to become a victim of spear phishing and similar social engineering campaigns.
There are usually always some signs that expose a scam disguised as an innocuous deed. That could be the tone used, the noises in the background, the origin of a link when you hover the mouse cursor over it, etc. Hence, users should pay attention to the details. People who are trained to be security aware have a better chance of sensing that they are victimized by a social engineering deception and contact the security team promptly. Reacting quickly is critical here. To sum up, there is no easy fix for social engineering scams, but proper education could likely give to you and your team what it needs to see it coming.
Reference List
Bisson, D. (2015). 5 Social Engineering Attacks to Watch Out For. Available at http://www.tripwire.com/state-of-security/security-awareness/5-social-engineering-attacks-to-watch-out-for/ (01/08/2015)
Corporate Information Technologies. Social Engineering Detection and Training. Available at http://www.corp-infotech.com/services-solutions/social-engineering-detection-training/ (01/08/2015)
Doctorow, C. (2012). Dropped infected USB in the company parking lot as a way of getting malware onto the company network. Available at http://boingboing.net/2012/07/10/dropped-infected-usb-in-the-co.html (01/08/2015)
Galloway, D. (2011). Open Found USB Drives/CD-ROMs with a Virtual Machine to Avoid Malware Attacks. Available at http://lifehacker.com/5817765/open-found-usb-drivescd-roms-with-a-virtual-machine-to-avoid-malware-attacks (01/08/2015)
Grauer, Y. (2015). For Social Engineering Scams, The Best Security Patch Is Education. Available at http://www.forbes.com/sites/ygrauer/2015/07/09/social-engineering/ (01/08/2015)
Henrique, W. (2013). Baiting Attack Exercise – The Old School Way Still Works. Available at https://www.trustwave.com/Resources/SpiderLabs-Blog/Baiting-Attack-Exercise-%E2%80%93-The-Old-School-Way-Still-Works/ (01/08/2015)
Hobbs, D. (2014). The New Face of Social Engineering and Fraud. Available at http://blog.radware.com/security/2014/05/new-face-of-social-engineering-fraud/ (01/08/2015)
KnowBe4, LLC. What is Vishing? Available at http://www.knowbe4.com/vishing (01/08/2015)
KU Leuven (2013). Identity theft – social engineering. Available at https://admin.kuleuven.be/icts/english/information-security/identity-theft-2013-social-engineering (01/08/2015)
Mosk, G. (2013). Protect yourself Online from Social Engineering and Identity Theft. Available at http://www.domainraccoon.com/blog/social-engineering-and-identity-theft (01/08/2015)
Pontiroli, S. (2013). Social Engineering, Hacking The Human OS. Available at https://blog.kaspersky.com/social-engineering-hacking-the-human-os/ (01/08/2015)
Savage, M. Gaining awareness to prevent social engineering techniques, attacks. Available at http://searchsecurity.techtarget.com/magazineContent/Gaining-awareness-to-prevent-social-engineering-techniques-attacks (01/08/2015)
Secure Thinking Ltd. How to Identify Phone Scams. Available at http://securethinking.co.uk/how-to-identify-phone-scams/ (01/08/2015)
Shimbun, Y. (2010). October 5, 2010: Cybervirus Found in Japan / Stuxnet Designed to Attack Off-Line Servers via USB Memory Sticks. Available at https://311truth.wordpress.com/2014/01/21/october-5-2010-cybervirus-found-in-japan-stuxnet-designed-to-attack-off-line-servers-via-usb-memory-sticks/ (01/08/2015)
Social Engineer, Inc. Vishing as a Service (VaaS). Available at https://www.social-engineer.com/vishing-service/ (01/08/2015)
Social Engineer, Inc. Identity Thieves. Available at http://www.social-engineer.org/framework/general-discussion/categories-social-engineers/identity-theives/ (01/08/2015)
Stanford University (2014). Phishing & Social Engineering. Available at https://web.stanford.edu/group/security/securecomputing/phishing.html (01/08/2015)
Wall Street National (2015). For Social Engineering Scams, The Best Security Patch Is Education. Available at http://www.wallstreetnational.com/for-social-engineering-scams-the-best-security-patch-is-education/ (01/08/2015)
Comments
Post a Comment