Attacks like hijacking, shoulder surfing and Phishing are just a few examples of social engineering attacks, which rely on manipulating certain human behaviors to succeed. But what exactly is social engineering and how do we reduce our vulnerability to it?
Short? It comes down to basic manipulation
Social engineering occurs when an attacker manipulates someone into doing something, such as sharing login credentials or leaving their computer unlocked and unattended, that matches the attacker’s motive.
Attackers often use deceptive or diversionary tactics as part of their efforts. So how do we limit our vulnerability to attacks that play on our own subconscious reactions?
Reduce your vulnerability
Ultimately, no organization is perfectly secure, but there are things you can do to help limit its success and/or impact.
1. User awareness
The human element in organizations will always be a vulnerable point in almost any security conversation, but that’s especially true when it comes to social engineering. By its very definition, after all, you can’t design anything socially without first having people to socialize with.
Providing regular training sessions to your employees on cybersecurity topics, including phishing and social engineering, will enable them to take a proactive approach.
2. Review your policies and procedures
Consider including the following in your policies:
- Safety first! Always make locking computers the standard behavior,
- Standardize emails and signatures: If your company standardizes the appearance of emails and signatures, a good social engineer should have received an email from someone in the company to copy the format and signature. This helps separate targeted attacks from lower quality bad actors.
- Make a phone call: For important actions such as arranging a funds transfer, having a phone conversation with the person on the other end of the line to confirm details after sending an email is a good way to verify that you are communicating with the real person on the other end of the line. .
- Easily verify identities: Consider having a corporate directory available to all employees so they can verify the identities of people within the company, reducing the likelihood of a social engineering attack impersonating someone one internally.
- If in doubt, check: Always ask the sender if a link is legitimate if you’re not sure — BEFORE clicking on the link.
- Report : Have a clear — and unashamed — plan of action for employees to report social engineering attempts — and communicate and practice them regularly. This is the best way to avoid other [damage loss], and the only way to know what methods attackers are using. Shaming people for falling victim to phishing and other social engineering attacks only makes them less likely to report it in the future.
3. Technical checks
There are a few options you can use to limit access to known phishing links, but it depends on how much control you have over the endpoint. With the right setup, you could:
- Check DNS: Making sure you have an SPF DNS record for your domains to protect against email spoofing is a good idea.
- Have the ability to shut down computers and quickly isolate them from the network. Rapid isolation is generally preferable to shutdown, because powering down a system can cause the loss of in-memory evidence (such as encryption keys) that could help recover from a disaster.
- Traffic routing? Do not route this IP address.
- Proxy for URL-level control. Having this level of visibility and control over your web traffic is a big improvement over just viewing source and destination IP addresses.
Attackers attempt to exploit aspects of basic human behavior when they use social engineering, but that doesn’t mean we can’t take steps to defend against these efforts. I hope these options will help you reduce your vulnerability.
Want to learn more about how to secure your organization? contact us! We are here to help you.