USA Flag Icon +44 01865-600-733

USA Flag Icon +1 713-636-5656

Armament Logo

The Threat of Social Engineering Attacks (3/3)

Defenses & Risk Reduction

Vigilance is the Price of Cyber Security

Back to Section 2: Real World Attack Scenarios

How do you Guard against this Threat?

Vigilance is the Price of Cyber Security“Eternal Vigilance is the Price of Liberty”
- Wendell Phillips, Jan 28, 1852
 

It is also the Price of Cyber Security.

The instances of cybercrime have been rising progressively for almost three decades now. In 2018, the average computer user in the United States received sixteen phishing emails per month¹. That's not counting the higher attack rates for corporate Internet users. In this environment the only real-term defense is to inform all staff members about threats and security responsibilities, and to instill a state of constant vigilance into them.

How to Minimize the Risk of a Successful Attack

  1. Stay Frosty
    The first and best rule for ALL computer users is to STAY CALM & ALERT at all times. Always check both the sender and the sending domain, to make sure they are who they claim to be, and not a scammer sending emails through a lookalike domain. Be careful of what's after the @
     
  2. Keep your Security Updated
    Make sure your antivirus software is up-to-date and ALWAYS VIRUS-SCAN ALL EMAIL ATTACHMENTS before opening them, no matter who they’re from.
     
  3. Beware Things that don’t Sound Right
    Every person has a ”tone and style” when they write, even if it’s just a quick note. Users need to become aware of this, when they’re dealing with friends, colleagues, and regular contacts. That way, when something arrives that doesn’t sound quite right, it’ll arouse their suspicion rather than spur them into hasty action.
     

The rule here is ”If there is ANY suspicion at all that an email is not what it appears to be, contact the person in question through another means, to make sure the message is genuine.” This can be by phone or a messaging application, or even by walking over to another cubicle. These three simple steps will provide a massive reduction in a company’s risk of exposure, provided ALL your employees follow them.


Reducing Risks at the IT Department Level

  1. Configure SPF Records² and use DKIM³ on Company Domains
    Sender Policy Framework (SPF) Records verify the sender’s server, pure and simple. Combining this with DomainKeys Identified Mail (DKIM), which sets a signature confirming the ”From” field’s email address, will go a long way toward preventing forged emails, pretending to originate from an inhouse email address.
     
  2. Block Undesirable Email Attachments
    Certain file types carry greater risks than others. These file types should be blocked by your corporate email system, by default. Undesirable file extensions include:
     
    Executables - .exe, .msi, .abb, .vb, .scr, and others⁴.
     
    Script Files - .js, .bat, .vbs, .jar, and others⁴.
     
    System Files - .dll, .sys, .ax, and others⁴
     
  3. Keep all Software Up-to-Date
    Your IT department should be doing this already, as a matter of course. Failing to keep your operating systems and programs up to date can and will leave your systems open to exploitation via a long list of vulnerabilities (CVEs), as detailed above.
     
  4. Conduct Cyber Security Awareness Training
    As previously mentioned, staff are the weakest link in any security chain. Focused security awareness training can turn them from a vulnerability into the company’s first line of defense.

Basic Training

Staff Security Training

Staff Security TrainingBecause most ordinary employees are not computer geeks, cyber security awareness training must be focused on practical aspects of security, rather than technical ones. Scenarios, such as those on the preceding page, must be worked through, together with the security implications of each and the appropriate countermeasures.

Further, cyber security is an all-or-nothing endeavor, so ALL staff members must take part in basic training. This is likely to draw scoffs and derision from the company’s IT and Cyber Security employees, but all really does mean ALL. Remember that twelve percent of all those suckered by the mock attack study were IT and Cyber Security professionals, so these departments are by no means impervious to social engineering attacks, even if they do consider themselves to be bulletproof.

Ultimately it’s better to have your techies sitting bored through cyber security awareness training than to have them miss something and put your entire operation in jeopardy.

It’s also highly recommended to put IT staff through a secondary training program, advanced cyber security bootcamp, if you will. These individuals are your company’s second line of defense. They must insure that the network is locked down as tightly as possible, and they are the ones who must contain and remedy the damage if an intrusion attempt is successful. It pays to have them as prepared as possible.

Cyber Security Awareness Training is not Fire & Forget

Cybercrime is not static. The threat landscape changes. Incursion vectors evolve. New angles of attack are developed. That’s why any awareness training program must include periodic updates, to keep employees honed as the first line of defense, instead of having them slowly slip back into the realms of being security weaknesses.

Additionally, the organization’s state of cyber security awareness should be examined to gauge the effectiveness of the trainings. This should include testing at the individual level, through questionnaires and surveys, as well as random penetration tests and mock social engineering attacks. These measures are the only way to be sure staff remain in a constant state of alertness and conscious of their collective responsibilities for the security of the company.

WE ARE YOUR Armament Solutions Limited Logo

Sources:



 Standards

NFPA 1600 & NIST 800 Standards

Armament Solutions Limited

3315 Rice Boulevard

Houston, TX, 77005

United States of America

USA Flag Icon +1 713-636-5656


 

International House, 61 Mosley Street

Manchester, M2 3HZ

United Kingdom

USA Flag Icon +44 01865-600-733