Layale Hachem, Senior Solutions Engineer – BeyondTrust
Do you know anyone who has clicked an unknown link in an email? Or inadvertently given an unauthorised party access to an MFA (multi-factor authentication) asset? Or otherwise divulged their credentials and compromised their digital security? Study after study suggests that you either know someone who has done one of these things or you have done one of them yourself. And even if you are a CISO, some of the most sophisticated cons can fool you too.
Welcome to Social Engineering 101. It fools more people than you might think, and it is on the rise. According to one report, in the United Arab Emirates (UAE), social engineering incidents went through a whopping 230% surge from the first to the second quarter of this year. And just one vendor recorded almost 3.5 million phishing attacks.
Social engineering does not, in itself, inflict damage. Rather, it is a means to make infiltration easier for attackers. Verizon’s 2022 Data Breach Investigations Report (DBIR) puts social engineering or the “human element” as the root cause of 82% of the breaches it examined. Clearly, security professionals have a mountain to climb. So where do they start?
It’s been emotional
First, it is no secret that we humans are engines of emotion. It takes a lot of training and experience to short-circuit a social engineer’s appeals to our curiosity, fear, and anger. Timely content that exploits a widespread feeling is a potent weapon. That is why the initial months of COVID saw massive spikes in cyberattacks around the world. But that is not the only trigger used by social attackers. They also, ironically, use trust — trust based on authority.
Even if it looks like your bank is warning you about something terrifying, like the closure of an account, caution is advised. Most banks and other businesses that rely on trust are open about the fact that they will never ask a customer to divulge sensitive information by phone or email. It is therefore prudent to reach out to the authority in question if they appear to be contradicting that pledge.
Social engineering lies at the periphery of the average user’s cyber knowledge, and those who are aware of it and how it works may think they are not significant enough to be targeted. They may not know that attackers just need a single inroad to begin lateral movement. And they may be unaware that phones, texts, and even snail mail are attack vectors.
Knowledge is power
So, the top advice to any enterprise is to educate users — all users. Train them to verify communications as legitimate by showing them how to identify the source. The email address should have the correct domain and the message should be addressed with the right name or job title (where relevant), and it should be relatively free of grammar and spelling mistakes and out-of-place or foreign characters.
Make sure employees are aware of their value to a threat actor and that no attacker will view them as the final step of infiltration. Explain, in general terms, what lateral movement means and impress upon employees the importance of vigilance. Give them an idea of the number of high-profile attacks that began with a misstep of someone at middle management or below. Follow this up with the reminder that even the simplest of personal information can be the first link in a chain of misfortune. Coach them to be conscious of their emotions and to treat an elevation in curiosity, fear, or anger as a possible indicator of an attempt at social engineering. Cold, calculated process is the preferred alternative to impetuous reaction in an unguarded moment.
A few pointers for users can make the difference. Training sessions can teach them how to check hyperlinks’ URLs for suspect endings such as “.ru.” or “+” characters signs as a stand-in for a lowercase “t”.
Let’s get technical
IT, too, can play its part. All OSes and apps should be up to date with the latest security patches, and antivirus software should be properly licensed, appropriately patched, and performing full scans at regular intervals. Spam filters and firewalls can stop some nefarious emails before they hit inboxes.
On top of this, IT and security leaders should implement the principle of least privilege and perform regular audits of credentials to ensure that only those that need access to a resource are granted it. IT administrators should only log on as such when performing tasks that go with the role. It is good practice to remove local admin rights for basic user accounts and restrict those users who do require privileges, such as network administrators, from accessing the Internet or checking email while logged on with their high-level privileges.
Another best practice is to rip and replace any software asset (especially an OS) that no longer receives patches or is about to go out of support. EOL systems are attractive vectors for threat actors and in the event that they cannot be replaced, they should not be used to connect to the Internet or receive email. IT and security teams can also perform penetration tests. While tests on infrastructure are always advised, when it comes to employees, pen tests should include social-engineering tactics to see if the training has stuck and to identify employees who may need further sessions.
Tale as old as time…
The art of the con predates the Internet, the computer, and even the abacus. But just as ancient is the human capacity for beating the con artist at their own game. Be vigilant, train potential victims, and tighten up defenses and social engineers will be left frustrated.