Security-Aware Culture Helps Neutralize Social-Engineering Threats

Introduction

Social engineering is evolving so rapidly that technology solutions, security policies, and operational procedures alone cannot protect critical resources. Even with these safeguards, hackers commonly manipulate employees into compromising corporate security. Victims might unknowingly reveal the sensitive information needed to bypass network security, or even unlock workplace doors for strangers without identification. While attacks on human judgment are immune to even the best network defense systems, companies can mitigate the risk of social engineering with an active security culture that evolves as the threat landscape changes.

A security-aware culture must include ongoing training that consistently informs employees about the latest security threats, as well as policies and procedures that reflect the overall vision and mission of corporate information security. This emphasis on security helps employees understand the potential risk of social-engineering threats, how they can prevent successful attacks, and why their role within the security culture is vital to corporate health. Security-aware employees are better prepared to recognize and avoid rapidly changing and increasingly sophisticated social-engineering attacks, and are more willing to take ownership of security responsibilities.

Security Awareness Is a Vital Defense

Successful instigators of social engineering are constantly creating and deploying new attacks, forcing employees to recognize and deter threats that are outside of their specific security experience. Many initial social-engineering attacks were successful because they took advantage of real employee names, partial passwords or authentication schemes, and other carefully gathered intelligence to convince employees that they were involved in legitimate transactions. Hackers gathered this information by listening to conversations in restaurants and public places, watching people enter passwords and PINs into laptops and ATMs, and even searching through corporate garbage receptacles. Some of the attacks created with stolen information were so sophisticated that employees didn’t even know that they had facilitated a security breach.

Today, many hackers integrate technology into their schemes to launch even more creative, sophisticated, and destructive attacks. Two examples of social-engineering techniques that integrate technology are phishing and pharming.

• Phishing elicits secure information through an e-mail message that appears to come from a legitimate source such as a service provider or financial institution. The e-mail message may ask the user to reply with the sensitive data, or to access a Website to update information such as a bank-account number. These fake Websites look realistic enough to fool many victims into revealing data that can be used for identity theft. Statistics from the Anti-Phishing Working Group (APWG) show that between July 2004 an March 2005, the number of phishing attempts grew by an average of 26 percent per month.
• Pharming also takes advantage of false Websites, but redirects users to the false site as they attempt to access a legitimate Website. This redirection, also known as domain spoofing, can be perpetrated through an e-mailed virus that lies dormant on a PC until the user enters a specific URL, or by poisoning a domain name system (DNS) directory. A DNS translates Web and e-mail addresses into numeric strings. In a poisoned DNS, the links that associate Web addresses with numeric strings are changed so users are directed to a false Website when they enter a specific URL. Any secure information entered into the false Website, such as a user name and password, is captured by hackers.

Some security software is available to combat phishing and pharming, but the best defense against the full range of social-engineering attacks is a corporatewide culture of security awareness. Like automated network-defense systems that identify and repel new viruses without human interaction, a security-aware culture helps employees easily and routinely identify and repel social-engineering attacks.

The Security-Aware Culture

By changing tactics regularly and incorporating business information and technology into their schemes, attackers have created a shifting landscape of very sophisticated attacks. As a result, security teams must go beyond simply training employees to respond correctly to specific threats. Employees must be empowered to recognize potential threats and make correct security decisions on their own, so that even very realistic requests for secure information can be instinctively met with skepticism and caution. Embedding security awareness this deeply in the minds of employees is a significant challenge that involves much more than periodic awareness programs.

Creating a strong and viable security culture requires a collective security vision with a core set of principles. These principles give employees ownership of corporate security, accountability for their actions, and the expertise to cope with changing social engineering threats. Every executive and employee must understand the risk of security breaches, the security procedures that can protect them from attack, the reason for each procedure, and the overall goals and limitations of enterprise security. Employees must understand that they are essentially the last line of defense against hackers who have turned to social engineering because they cannot breach the security systems any other way.

Creating and Maintaining a Security-Aware Culture

Social engineering attacks are personal. Hackers understand that employees are often the weakest link in a security system—they are susceptible to trickery, and their varied responses can give attackers many opportunities for success. One of the greatest dangers of social engineering is that the attacks need not work against everyone. A single successful victim can provide enough information to trigger an attack that will affect an entire organization.

Creating a security-aware culture requires the commitment of the executive staff, the involvement of all employees, and effective security policies and procedures for everyone tied to the organization, including vendors and partners.

Top-Down Security Culture: Executive commitment is vital to a security-aware culture. When security awareness is emphasized by the top levels of management, employees are more likely to view security as a business enabler instead of a hindrance to productivity. An executive staff that takes the initiative to be informed and involved in security issues, rather than off-loading responsibility to a security team, will encourage a security culture that is collaborative, structured, and ingrained throughout the organization’s processes and people.

Security-Awareness Training: Most employees do not cause security problems intentionally. Accessing unsecure Websites, deploying unauthorized wireless access points, or falling victim to social-engineering ploys are common employee actions that result in security breaches. The best way to avoid unintentional security problems is to provide all employees with regular security-awareness training. This training must inform employees of new threats and refresh their understanding of how to identify and avoid social-engineering attacks. An annual seminar or occasional memo is not an effective approach; organizations must treat security-awareness training as a normal, enduring aspect of employment.

With proper training, every employee should understand the company’s physical security measures, know how to handle and protect confidential data, and be able to recognize and respond appropriately to social-engineering attempts. Employees in higher risk positions for social-engineering attacks, such as help-desk staff and network administrators, may benefit from specialized training. An ongoing risk assessment that tests the resistance of employees to social-engineering attempts and techniques can help assess the validity of the training program and further raise security awareness.

Security Policies and Procedures: Official security policies and procedures take the guesswork out of operations and help employees make the right security decisions. Such policies include the following:

• Password Management: Guidelines such as the number and type of characters that each password must include, how often a password must be changed, and even a simple declaration that employees should not disclose passwords to anyone (even if they believe they are speaking with someone at the corporate help desk) will help secure information assets.
• Two-Factor Authentication: Authentication for high-risk network services such as modem pools and VPNs should use two-factor authentication rather than fixed passwords.
• Anti-Virus/Anti-Phishing Defenses: Multiple layers of anti-virus defenses, such as at mail gateways and end-user desktops, can minimize the threat of phishing and other social-engineering attacks.
• Change Management: A documented change-management process is more secure than an ad-hoc process, which is more easily exploited by an attacker who claims to be in a crisis.
• Information Classification: A classification policy should clearly describe what information is considered sensitive and how to label and handle it.
• Document Handling and Destruction: Sensitive documents and media must be securely disposed of and not simply thrown out with the regular office trash.
• Physical Security: The organization should have effective physical security controls such as visitor logs, escort requirements, and background checks.

Conclusion

The security risks of social engineering are significant, and organizations must address social-engineering threats as part of an overall risk-management strategy. The best way to mitigate the risk posed by rapidly evolving social-engineering methods is through an organizational commitment to a security-aware culture. Ongoing training will provide employees with the tools they need to recognize and respond to social-engineering threats, and support from the executive staff will create an attitude of ownership and accountability that encourages active participation in the security culture.