Security-Aware Culture Helps Neutralize Social-Engineering ThreatsContentsIntroduction IntroductionSocial engineering is evolving so rapidly that technology solutions, security policies, and operational procedures alone cannot protect critical resources. Even with these safeguards, hackers commonly manipulate employees into compromising corporate security. Victims might unknowingly reveal the sensitive information needed to bypass network security, or even unlock workplace doors for strangers without identification. While attacks on human judgment are immune to even the best network defense systems, companies can mitigate the risk of social engineering with an active security culture that evolves as the threat landscape changes. A security-aware culture must include ongoing training that consistently informs employees about the latest security threats, as well as policies and procedures that reflect the overall vision and mission of corporate information security. This emphasis on security helps employees understand the potential risk of social-engineering threats, how they can prevent successful attacks, and why their role within the security culture is vital to corporate health. Security-aware employees are better prepared to recognize and avoid rapidly changing and increasingly sophisticated social-engineering attacks, and are more willing to take ownership of security responsibilities. Security Awareness Is a Vital DefenseSuccessful instigators of social engineering are constantly creating and deploying new attacks, forcing employees to recognize and deter threats that are outside of their specific security experience. Many initial social-engineering attacks were successful because they took advantage of real employee names, partial passwords or authentication schemes, and other carefully gathered intelligence to convince employees that they were involved in legitimate transactions. Hackers gathered this information by listening to conversations in restaurants and public places, watching people enter passwords and PINs into laptops and ATMs, and even searching through corporate garbage receptacles. Some of the attacks created with stolen information were so sophisticated that employees didn’t even know that they had facilitated a security breach. Today, many hackers integrate technology into their schemes to launch even more creative, sophisticated, and destructive attacks. Two examples of social-engineering techniques that integrate technology are phishing and pharming.
Some security software is available to combat phishing and pharming, but the best defense against the full range of social-engineering attacks is a corporatewide culture of security awareness. Like automated network-defense systems that identify and repel new viruses without human interaction, a security-aware culture helps employees easily and routinely identify and repel social-engineering attacks. The Security-Aware CultureBy changing tactics regularly and incorporating business information and technology into their schemes, attackers have created a shifting landscape of very sophisticated attacks. As a result, security teams must go beyond simply training employees to respond correctly to specific threats. Employees must be empowered to recognize potential threats and make correct security decisions on their own, so that even very realistic requests for secure information can be instinctively met with skepticism and caution. Embedding security awareness this deeply in the minds of employees is a significant challenge that involves much more than periodic awareness programs. Creating a strong and viable security culture requires a collective security vision with a core set of principles. These principles give employees ownership of corporate security, accountability for their actions, and the expertise to cope with changing social engineering threats. Every executive and employee must understand the risk of security breaches, the security procedures that can protect them from attack, the reason for each procedure, and the overall goals and limitations of enterprise security. Employees must understand that they are essentially the last line of defense against hackers who have turned to social engineering because they cannot breach the security systems any other way. Creating and Maintaining a Security-Aware CultureSocial engineering attacks are personal. Hackers understand that employees are often the weakest link in a security system—they are susceptible to trickery, and their varied responses can give attackers many opportunities for success. One of the greatest dangers of social engineering is that the attacks need not work against everyone. A single successful victim can provide enough information to trigger an attack that will affect an entire organization. Creating a security-aware culture requires the commitment of the executive staff, the involvement of all employees, and effective security policies and procedures for everyone tied to the organization, including vendors and partners. Top-Down Security Culture: Executive commitment is vital to a security-aware culture. When security awareness is emphasized by the top levels of management, employees are more likely to view security as a business enabler instead of a hindrance to productivity. An executive staff that takes the initiative to be informed and involved in security issues, rather than off-loading responsibility to a security team, will encourage a security culture that is collaborative, structured, and ingrained throughout the organization’s processes and people. Security-Awareness Training: Most employees do not cause security problems intentionally. Accessing unsecure Websites, deploying unauthorized wireless access points, or falling victim to social-engineering ploys are common employee actions that result in security breaches. The best way to avoid unintentional security problems is to provide all employees with regular security-awareness training. This training must inform employees of new threats and refresh their understanding of how to identify and avoid social-engineering attacks. An annual seminar or occasional memo is not an effective approach; organizations must treat security-awareness training as a normal, enduring aspect of employment. With proper training, every employee should understand the company’s physical security measures, know how to handle and protect confidential data, and be able to recognize and respond appropriately to social-engineering attempts. Employees in higher risk positions for social-engineering attacks, such as help-desk staff and network administrators, may benefit from specialized training. An ongoing risk assessment that tests the resistance of employees to social-engineering attempts and techniques can help assess the validity of the training program and further raise security awareness. Security Policies and Procedures: Official security policies and procedures take the guesswork out of operations and help employees make the right security decisions. Such policies include the following:
ConclusionThe security risks of social engineering are significant, and organizations must address social-engineering threats as part of an overall risk-management strategy. The best way to mitigate the risk posed by rapidly evolving social-engineering methods is through an organizational commitment to a security-aware culture. Ongoing training will provide employees with the tools they need to recognize and respond to social-engineering threats, and support from the executive staff will create an attitude of ownership and accountability that encourages active participation in the security culture. |