Imagine the following scene & #8230;
You're off office hours and suddenly get a call supposedly from the Information Technology (IT) from your company requesting a credential for a project or system. The justification for the request is the occurrence of a possible incident and the exposed data need to be transferred to a safe place as soon as possible. One cites genuine characteristics and information that only employees in your industry or project stakeholders would know. How would you react to this request? What about your business colleagues?
Social engineering is not a technology or process problem
In Information Security (SI), we can define as social engineering the interpersonal skills and practices of convincing and trusting people in order to gain benefit and / or confidential information, often posing as another (user) identity. This type of attack mainly exploits the human factor, manipulating the victim according to their characteristics and desires. Therefore, it has no mandatory relationship with computer systems. It occurs when exploring human characteristics such as:
- Confidence - People tend to trust;
- Help - tend to help;
- Utility - feel useful in integrating with the needs of others;
- Vanity - feel safer and more comfortable receiving compliments;
- Personal need - The feeling of personal satisfaction (usually financial);
- New friendships - Dependence on relationships.
Perform verification steps such as identification and authenticationare undoubtedly essential measures to help mitigate the risk of this type of attack, however, it is important to keep in mind that a well-designed and well-targeted social engineering attack should probably have anticipated most of the possible questions and answers in which you can do, or might have thought.
Therefore, an attacker in most cases will not simply make a call requesting for a credential, but instead will exploit the trust of users for as long as it takes to invest, causing them to access, or ultimately provide, the information necessary to him without his having to do so, thus avoiding leaving logs or evidence of access.
This type of attack can be prevented by awareness projects and training for all users of your company. Preparing and testing them must be within your IS planning and routines.
In addition to the most common as online and over the phone, a social engineering attack can have as input:
Dumpster Diving - Search for information unusable / discarded by your company, usually trash and drawers;
Shoulder surfing - View behind the back of a legitimate user, to your screen, for example when entering a password;
Persuasion - Through conversation and persuasion, exploring one or more of the above human characteristics.
How to face this threat?
A social engineering attack can compromise any investment made in an IS program, its impact can be achieved from information obtained by the doorman to the president.
Thus having distinct impacts as regards the criticality of the information obtained.
A good social engineering training program should address such things as:
- Recognition & #8211; of emails (fake, phishings) and phone calls;
- Desk and clean screen & #8211; keep information stored / stored in locked drawers and screens when away from workstation
- Correct Disposal of Paper and Media & #8211; use paper shredders in offices;
- Information Classification - Understanding the complete life cycle, from construction, modification and disclosure;
- Conversation from elevators and restaurants & #8211; often the table next to the restaurant is where your competitor is having lunch, confidential matters should be addressed in tone and only in appropriate places;
- Physical Access Control & #8211; exclusive items for reception staff and other users, such as badge and turnstile use.
Divide the focus and approach of training into groups, as the objectives are distinct among them:
Board - Executives, owners of critical and business processes;
High technical privilege - The group that has access to critical business applications such as system administrators, service desk, among others;
Administrative Tasks Users & #8211; They are employees who do not have privileged access, but deal with critical / confidential information in general, for example: HR, Finance.
Other tips in developing countermeasures:
- Create weekly internal passwords for access to sensitive remote information (applies primarily to telephone contact with IT staff).
- Tell employees to say no when necessary - this is not a problem.
- Promote integration, work out quizzes, treat the subject at workshops in a relaxed manner, handing out prizes to those who show effort to collaborate.Finally, to help measure evolution, conduct periodic social engineering tests and measure in practice how mature your company's users have reached and measure evolution.
This is a type of attack that is difficult to measure and control, as it can come from either an internal or external agent, regardless of preventive measures such as user awareness.
In addition, engaging with the strategic objective will help users realize how valuable information is for a company's survival in an increasingly competitive marketplace. Additionally, along with training and measurement, it will be possible to identify the most engaged users who can contribute to IS initiatives, as well as assist in the mitigation of incidents in a timely manner, adding value to continuous improvement and the IS program.
* This article was written by the Safeway team responsible for Social Engineering projects.
Want to know more? Contact Us: [email protected]
THE [SAFEWAY] is a widely recognized company as a provider of premium information security and cybersecurity solutions. From its extensive portfolio, we highlight several solutions, including those based on platforms:
● Archer da RSA Security, considered by the institutes Gartner and Forrester and by the market itself, the most complete process integration solution for Governance, Risk Management, Compliance and Business Continuity Management;