The biggest threat to confidentiality today is social engineering. Even enterprises with solid cybersecurity frameworks in place can easily be the victims of attacks. Security firms usually think in terms of technical solutions, but if someone unwittingly provides a way for a social engineer to gain access, even the toughest data security won’t help, so what can a small business do to protect their data?
According to Symantec Security Response, 97% of cyber attacks come as the result of social engineering (source), with only 3% exploiting a technical flaw. It makes sense, why would an attacker spend hours identifying and exploiting a vulnerability in a well guarded defense system when they can just trick an employee into letting them waltz right in?
Social engineering is often used as the entry point for a larger attack. An attacker can get past even strict security at a large company just by walking up to the front desk, claiming to be sent from head office to patch the system and asking to quickly use a logged in computer. Most people simply aren’t ready to spot a sophisticated social engineering attack, and even companies with robust IT security in place can be easy targets. Why try to crack a password when you can manipulate someone into giving you access without even needing one?
One of the classic social engineering techniques that most people are aware of is phishing – obtaining confidential information via email. Now, just because people know about phishing attacks, it doesn’t mean they won’t fall prey to them. If an employee sees an interesting looking email in their spam folder, and decides to follow the link or open the attachment, they may be opening the door for an attacker, that the email security had previously locked.
How much do you know?
If the target is valuable, then the social engineering attack could have started long before that, with the attacker learning which systems the company uses and therefore what the phishing email should actually do. Easy to use tools such as Social Engineering Toolkit can very quickly clone a site’s login portal to be sent as a link through a phishing email that eventually provides the attacker with login credentials, and that’s just with an email link. If the victim opens a malicious attachment, the entire network could be infected with something dangerous yet difficult to detect until serious damage has been done.
If senior management is targeted in this way, things can quickly become far worse as they are likely have a high level of access within the computer system, even if they don’t need it to do their job. They are senior management after all, they should be able to keep that data safe.
So perhaps it’s not always a good idea for senior management to have full access. Well, I’d go further than that and say that it’s never a good idea for anyone to have full access. People who don’t need access to a particular system for their job shouldn’t have it. Implementing layered security using the principle of least privilege is one way to protect against social engineering attacks. Layered security can be costly, and not always practical for small businesses, but If someone doesn’t have some information, they can’t be tricked into giving it up.
Beware of dumpster divers
Files, documents, even old hard drives can be obtained by sneaking round the back of an office and simply searching through the trash. It should go without saying that all paper documents should be properly shredded prior to going into the trash, but physical media is often not disposed of correctly, and even a formatted hard-drive can be restored quite easily. Software can be used to erase all data on a disk, and a magnetic hard drive can be degaussed, but should still be destroyed completely before being thrown out.
Stop physical access
If someone has physical access to a network, they may be able to not only clone a website, but make it appear legit by altering the DNS settings to make the correct URL appear in the address bar, and even create a fake SSL certificate that does in fact encrypt traffic, but which they have the key for. Allowing an unauthenticated person onto the network is bad news. One solution to this is to encrypt all traffic over the network. Whilst large offices need enterprise level equipment, a smaller office of up to, say 25 employees, could get away with using a high end consumer VPN router. Additionally, with a simple switch and lots of cables, every machine can connect through ethernet rather than WiFi, meaning no one will be broadcasting their internet traffic.
As I mentioned, the best way to stop someone accidentally giving away important information is to make sure they don’t have it in the first place. This is where we use access control to limit what a person can access.
Impletment RBAC
Role based access control can help to keep your office secure, as only people who need access in order to carry out their duties are able to access, and they can’t grant access to others. It doesn’t necessarily have to be expensive or extremely complicated either, as explained by CSO. When combined with multi-factor authentication, we can create a well protected environment against social engineering attacks. It’s worth noting that, although these protections might not stop the most determined attacker, they make a successful breach much more difficult, and therefore make your company a less inviting target.
Be careful who you trust
These are all ways to mitigate the effect of a social engineering attack, but can’t stop it altogether. Secure file sharing apps and can protect sensitive files, and there are encrypted messaging services, but the best way to avoid falling victim to such an attack is to keep privileges to the minimum required for an employee to perform their duties, and make sure everyone is aware of the threat of social engineering attacks. A healthy level of distrust and paranoia can be valuable in protecting businesses from cyber threats.