Social Engineering: The Email Security Wildcard
Protect Your Users from Themselves
April 26, 2005
You can install the strongest firewall, the best anti-virus software and the most robust intrusion detection system (all available, incidentally, in one world-class appliance), but there’s still a weak link in your security plan that you may have overlooked. If users in your organization can be manipulated into revealing their network passwords or other business-critical information, all of your technology is rendered useless. Unless your end users are educated about the online risks they face every day, you could find yourself staring down the barrel of a devastating attack, resulting in massive intellectual property or financial theft, virus infection, or both.
This week, we’ll discuss some common social engineering tactics and what you can do to protect your organization’s network against those who would rather exploit your people than your software.
The Path of Least Resistance
Give a burglar a brick and he’ll break a window to get in your home; give him a screwdriver and he’ll jimmy the locks—neither of which are particularly desirable ways to get into your home. Give him a key, however, and he’ll just walk right in, with little or no fear of being detected.
In the information security world, online burglars get that key using social engineering. Contrary to commonly held beliefs, social engineers don’t need to be particularly technically savvy; instead, they achieve their nefarious goals through their “people skills.” They use charm, intimidation or trickery to convince others to disclose information that compromises the security of the network and thus, the security of the entire enterprise.
There’s a Sucker Born Every Minute
Kevin Mitnick is perhaps the most notorious computer hacker in the world. Tracked down and arrested in 1995 after two years on the run, he served five years in prison and three additional years on probation for hacking-related offenses. Now a highly sought-after information security consultant who educates organizations on how to prevent social engineering and other attacks, Mitnick testified before Congress that the weakest element in computer security is none other than the end user. "I was so successful in [social engineering] that I rarely had to resort to a technical attack," Mitnick explained. He added that "employee training to recognize sophisticated social engineering attacks is of paramount importance."
While there are many forms of social engineering, a popular technique in the business environment involves sending an e-mail to a user within a company, purporting to be either a coworker or business partner who needs a seemingly innocuous piece of information like an e-mail address or phone number. Once trust has been established, the social engineer moves on to requesting more classified information, such as financial data, social security numbers or network passwords, constantly reinforcing the victim’s perception that they are helping an authorized recipient of the information.
Defending Against Social Engineers
While a comprehensive security strategy should always include defense from technical threats like spam, viruses and hacking, defending against social threats that can not be detected by software must also be a part of your approach. Unfortunately, the social element of network security is often ignored. Just because you hire the best and brightest doesn’t mean they know better than to give out their passwords. Unless explicitly instructed otherwise, the average employee has no reason to question someone who seems to have a legitimate reason for asking. Even security-conscious IT team members might be hesitant to ask for proof of identity from an irate person claiming to be a member of upper management.
Protecting your enterprise from social engineering attacks requires a set of security policies that lay out the reasons and procedures for responding to these types of requests. However, developing the policies is only the first step. In order for your security policy to be effective, it must be disseminated to all users of the network, with ongoing education and training provided to explain the necessity of compliance. In addition, all members of management must agree to the policies and understand the need to properly prove their identities when making requests for passwords and other sensitive information.
When developing your security policy, be specific and address such issues as the need for strong passwords, including a minimum length, complexity requirements, password expiration period, and prohibition of easily guessed words such as birthdates, family names, etc. But also be wary of unintended consequences – organizations that make password policies overly complex simply end up with passwords attached to monitors via post-it notes. Make sure your end users understand when they should and should not disclose their passwords, and what procedures to follow if their password is requested.
Take the first step towards securing your enterprise network today. Download CipherTrust’s free whitepaper, Securing the Email Boundary: An Overview of IronMail.
|
