Sensing that they are victimized by a social engineering deception

The Need of Security Awareness and Education
 
While reading about these social engineering tricks, you might think: Why would a cyber criminal waste time attempting to come up with a sophisticated high-tech scam when he knows that the same result (and even such that surpasses his boldest expectations) can be achieved with a much simpler offline swindle?
Presumably, the weakest links in the chain of cyber security is not technological – it is human. And human beings are susceptible to psychological manipulation. Social engineering is not a new occurrence. It has been around under one form or another since the beginning of time (Top 14 Financial Frauds of All Time).



Common scams necessitate the existence of common mistakes. More attention is paid on security infrastructure instead of people, and that is the biggest mistake. As the managing principal research consultant of Accuvant LABS R&D team, Shawn Moyer, attests: “A lot of defenders still think in terms of an attacker on the Internet externally trying to find a way in. …The reality is, if I’m the outside threat, I find an insider and that insider becomes your threat.” The logic suggest that introducing security awareness training for employees is virtually mandatory.

Nowadays, demonstration of a careless attitude by employees (“What do I care, it’s not my data”) is simply unacceptable, according to Chris Hadnagy, an operations manager for Offensive security. “Now, security awareness has become personal for them. It’s not just about protecting their employer’s data but their life,” adds Hadnagy. On the other hand, overdoing security measures is the opposite extreme that might be as damaging as becoming a victim of a cyber breach, because it may impair the good communication between clients and organizations. For instance, while checking links with VirusTotal, which is a free service that inspects links and files for malware, is a proper thing to do when you have a reason to be suspicious, doing so for every link and file can seriously slow down the normal work process. A fine balance must be struck between security and productivity at work.

With regard to employees undergoing security awareness training, Lance Spitzner, director of SANS Securing the Human Program, says: “We’ve done tremendous work to secure computers but nothing to secure the human operating system. That’s why these social engineering techniques are so prevalent. To change human behaviour, you need to educate and train employees, not just once a year but continuously. Like you continually patch computers and applications, you’re continually training and patching human operating systems.” In the same spirit, Spitzner made the observation that employees who undergo periodic security training exhibit better orientation in the event of cyber-threats and are as a whole less likely to become a victim of spear phishing and similar social engineering campaigns.



There are usually always some signs that expose a scam disguised as an innocuous deed. That could be the tone used, the noises in the background, the origin of a link when you hover the mouse cursor over it, etc. Hence, users should pay attention to the details. People who are trained to be security aware have a better chance of sensing that they are victimized by a social engineering deception and contact the security team promptly. Reacting quickly is critical here. To sum up, there is no easy fix for social engineering scams, but proper education could likely give to you and your team what it needs to see it coming.

Reference List
Bisson, D. (2015). 5 Social Engineering Attacks to Watch Out For. Available at http://www.tripwire.com/state-of-security/security-awareness/5-social-engineering-attacks-to-watch-out-for/ (01/08/2015)
Corporate Information Technologies. Social Engineering Detection and Training. Available at http://www.corp-infotech.com/services-solutions/social-engineering-detection-training/ (01/08/2015)
Doctorow, C. (2012). Dropped infected USB in the company parking lot as a way of getting malware onto the company network. Available at http://boingboing.net/2012/07/10/dropped-infected-usb-in-the-co.html (01/08/2015)
Galloway, D. (2011). Open Found USB Drives/CD-ROMs with a Virtual Machine to Avoid Malware Attacks. Available at http://lifehacker.com/5817765/open-found-usb-drivescd-roms-with-a-virtual-machine-to-avoid-malware-attacks (01/08/2015)
Grauer, Y. (2015). For Social Engineering Scams, The Best Security Patch Is Education. Available at http://www.forbes.com/sites/ygrauer/2015/07/09/social-engineering/ (01/08/2015)
Henrique, W. (2013). Baiting Attack Exercise – The Old School Way Still Works. Available at https://www.trustwave.com/Resources/SpiderLabs-Blog/Baiting-Attack-Exercise-%E2%80%93-The-Old-School-Way-Still-Works/ (01/08/2015)
Hobbs, D. (2014). The New Face of Social Engineering and Fraud. Available at http://blog.radware.com/security/2014/05/new-face-of-social-engineering-fraud/ (01/08/2015)
KnowBe4, LLC. What is Vishing? Available at http://www.knowbe4.com/vishing (01/08/2015)
KU Leuven (2013). Identity theft – social engineering. Available at https://admin.kuleuven.be/icts/english/information-security/identity-theft-2013-social-engineering (01/08/2015)
Mosk, G. (2013). Protect yourself Online from Social Engineering and Identity Theft. Available at http://www.domainraccoon.com/blog/social-engineering-and-identity-theft (01/08/2015)
Pontiroli, S. (2013). Social Engineering, Hacking The Human OS. Available at https://blog.kaspersky.com/social-engineering-hacking-the-human-os/ (01/08/2015)
Savage, M. Gaining awareness to prevent social engineering techniques, attacks. Available at http://searchsecurity.techtarget.com/magazineContent/Gaining-awareness-to-prevent-social-engineering-techniques-attacks (01/08/2015)
Secure Thinking Ltd. How to Identify Phone Scams. Available at http://securethinking.co.uk/how-to-identify-phone-scams/ (01/08/2015)
Shimbun, Y. (2010). October 5, 2010: Cybervirus Found in Japan / Stuxnet Designed to Attack Off-Line Servers via USB Memory Sticks. Available at https://311truth.wordpress.com/2014/01/21/october-5-2010-cybervirus-found-in-japan-stuxnet-designed-to-attack-off-line-servers-via-usb-memory-sticks/ (01/08/2015)
Social Engineer, Inc. Vishing as a Service (VaaS). Available at https://www.social-engineer.com/vishing-service/ (01/08/2015)
Social Engineer, Inc. Identity Thieves. Available at http://www.social-engineer.org/framework/general-discussion/categories-social-engineers/identity-theives/ (01/08/2015)
Stanford University (2014). Phishing & Social Engineering. Available at https://web.stanford.edu/group/security/securecomputing/phishing.html (01/08/2015)
Wall Street National (2015). For Social Engineering Scams, The Best Security Patch Is Education. Available at http://www.wallstreetnational.com/for-social-engineering-scams-the-best-security-patch-is-education/ (01/08/2015)

Popular Post

Ensure a fast start and a long, lucrative career with the right professional credentials - See more

DOD Directive 8570.1 Compliance + requiring certification: U.S. State Department, FBI, FAA BAE Systems, Booz Allen Hamilton General Dynamics, Northrop Grumman Raytheon, SAIC

CAST 611 Advanced Penetration Testing Government & Intelligence Agencies interested in real world attack and defense in today’s complex and highly secure IT environments

ACTION ORIENTED

Another scandal..Another scandal... There is a new investigation into alleged misconduct and improper prescriptive practices by Cincinnati VA chief of staff according to cryptic messages from the agency. At the center of the allegations is acting chief of staff is a thoracic surgeon Barbara Temeck, MD. The investigation involves prescriptive privileges and scripts written for numerous people including VISN 10 director Jack Hetrick. Hetrick recused himself from the investigation since it involves his wife... [read on] Get the rest Numerous state attorney generals are demanding that the US Department of Veterans Affairs reinstate GI Bill benefits for veterans defrauded by for-profit colleges. Attorney generals (AGs) in California, Connecticut, Illinois, Kentucky, Massachusetts, New Mexico, Oregon and Washington sent Secretary Bob McDonald a letter demanding restoration of GI Bill benefits. The justification is that for-profit colleges uses deceptive tactics to recruit veterans while the agency failed to verify education quality. According to Illinois AG Lisa Madigan: “Veterans earn educational benefits through their heroic service to our country… They should not return home and become targets of predatory, bogus colleges whose only interest in our veterans is to profit off them. It’s critical that our tax dollars allow student veterans to get a true education and the opportunities it provides.” The problem with the schools was that they promised veterans jobs after graduation that never materialized. In fact, those colleges provided such low quality educations that employers do not accept nor would other colleges accept them for transfer credits. Recruiters used proven psychotherapy techniques to manipulate veterans into enrolling. VA then paid benefits without verifying the claims made by such colleges. Veterans used up the benefits without the result they were promised. GI BILL RESTORATION STRATEGY The AGs are also suggesting VA adopt the following four strategies to protect veterans moving forward. According to Progress Illinois, those strategies are: Exercising current federal statutory authority to provide relief to these veterans. In cases where the VA has authorized the use of benefits contrary to its own governing statutes and regulations, federal law (38 U.S.C. §503) provides the VA discretion to offer equitable relief that would give back to the veterans full eligibility and entitlement to their benefits that they have lost from the schools’ conduct. Restoring these benefits would allow the veterans to obtain an education that will help them advance their careers. Triggering Automatic Reviews. The VA should establish that a review to exercise this discretion will automatically take place in any of the following cases: (1) when the U.S. Department of Education, a state regulatory agency, or a state attorney general takes a regulatory or enforcement action against a school; (2) when a court enters a judgment against a school, or (3) upon application by a veteran or a group of veterans alleging that an education program or college has utilized advertising, sales, or enrollment practices which are erroneous, deceptive, or misleading. Taking Proactive Steps To Provide Full and Accurate Information. The VA should take proactive steps to guarantee that veterans will be furnished full and accurate information about their education options to prevent them from enrolling in schools that employ aggressive and misleading marketing practices. Increasing Cooperation. The VA should continue and increase its support of efforts of state regulatory agencies and attorneys general in protecting veterans from misconduct. So what do you think about the plan? Should veterans receive the benefit, or harm, of their own educated choice of attending for-profit colleges? Or, should VA reinstate the GI Bill benefits of veterans defrauded? I used to be rather cynical about this, but VA does have a fiduciary duty to ensure colleges provide the quality education they promise before approving a veteran’s attendance. The past two presidential administrations were clearly asleep at the wheel while veterans were ripped off.

acinet.org•America's Career InfoNet helps people make better, more informed career decisions.