Welcome Turk Hack Team Members, we'll discuss on social engineering strategies today.
Whats A Good Social Engineering Strategy?
Trust no one.
More than a pop culture slogan, its a mantra enterprises need to impress upon employees. Social engineering, after all, often begins with an appeal to trust or to help someone else. And despite our best intentions to help our fellow man, encouraging healthy doubt is only one component of a strong strategy to prevent and protect against social engineering attacks.
Social Engineering Basics
Social engineering, commonly known as people hacking, typically aims to access a system, device, or physical premises to:
Social engineers aim to gain their victims trust while appearing friendly and unassuming. Whether making contact in person, by phone, or via email or other business correspondence, they might pose as a fellow employee, a past employee, or a representative of a vendor or contractor.
In voice phishing, or vishing, they might mask their caller ID or use a spoof number so that their call appears to be coming from within the same office complex. In such attacks against companies, the attackers might pretend to be IT support or executive-level end users.
The best social engineers will also take the time to do their research. Using social networks and information available online, they will gain access to personal details that can make their pitch more convincing. That *** of your dog you posted on Instagram? Yep, it could be used against you. By gleaning the targets interests and habits from social media, for instance, a fraudster can tailor an email to specifically appeal to that target and increase his or her chances of email opening and link clicking.
A malicious social engineer doesnt stop at the individual; hell also familiarize himself with the target companys procedures. Arming himself with an understanding of your way of doing things can bolster him credibility.
This could even extend to a bad actor putting your employee (the targeted victim) on hold to listen to the very same hold music your company uses, which has been recorded in advance to help psychologically trigger a sense of familiarity. A good social engineer has plenty of tricks like this up his sleeve.
Strengthen Your Social Engineering Strategy
As social engineering attacks become more common, they also grow increasingly sophisticated. Every business from SMB to enterprise needs to devise a strategy to protect against this form of psychological manipulation.
Only 3% of malware Symantec Security encounters try to exploit technical weaknesses. The remaining 97% tries to trick a user through some type of social engineering. Thats a huge risk stemming from the people under your own roof.
Social engineering attacks cant be prevented with technology alone. Thats why the best social engineering strategy enhances the company through security awareness training. Your humans are, regrettably, your weakest link. Thus effective training is an ongoing effort to keep security a top concern for all employees.
Employees need training on several fronts. First, to address complacency; anyone who thinks, that will never happen here is a sitting target for the highly motivated and creative criminals out there.
Next, train employees to recognize social engineering approaches and to stop themselves before they take a potentially dangerous action such as:
Provide Positive Reinforcement
You know the saying, fool me once, shame on you. Fool me twice, shame on me. You dont want your employees to be fooled, but you also dont want to rely on shame to get them to keep their guards up.
In training and testing, focus on successes rather than failures. Sharing accolades when someone in the company immediately warns IT of a suspicious email is more likely to foster employee support and build confidence faster than calling out regrettable mistakes.
At the same time, dont let your employees rest on their laurels. Yes, you want to start out small with social engineering training and testing, but plan to go bigger and get more challenging the more comfortable they become with the learning process.
By varying the pretexts of the social engineering and amplifying complexity over time, you can effectively educate employees on different attack vectors and help the company identify opportunities for adding additional technical controls to protect against real attacks.
Introduce Checks and Balances
Revisit your processes regularly. Are there places you can institute security double checks?
Common social engineering attacks rely on communications that create a sense of urgency or fear. Uncomfortable with these negative emotions, the victim is more likely to disclose information, download a malicious file, or enable access to sensitive data or systems without thinking first.
Encourage people to take the time to:
//Quoted. Thanks for reading.
Whats A Good Social Engineering Strategy?
Trust no one.
More than a pop culture slogan, its a mantra enterprises need to impress upon employees. Social engineering, after all, often begins with an appeal to trust or to help someone else. And despite our best intentions to help our fellow man, encouraging healthy doubt is only one component of a strong strategy to prevent and protect against social engineering attacks.
Social Engineering Basics
Social engineering, commonly known as people hacking, typically aims to access a system, device, or physical premises to:
- Steal passwords or confidential data
- Install malware
- Damage the companys reputation or profit illegally
Social engineers aim to gain their victims trust while appearing friendly and unassuming. Whether making contact in person, by phone, or via email or other business correspondence, they might pose as a fellow employee, a past employee, or a representative of a vendor or contractor.
In voice phishing, or vishing, they might mask their caller ID or use a spoof number so that their call appears to be coming from within the same office complex. In such attacks against companies, the attackers might pretend to be IT support or executive-level end users.
The best social engineers will also take the time to do their research. Using social networks and information available online, they will gain access to personal details that can make their pitch more convincing. That *** of your dog you posted on Instagram? Yep, it could be used against you. By gleaning the targets interests and habits from social media, for instance, a fraudster can tailor an email to specifically appeal to that target and increase his or her chances of email opening and link clicking.
A malicious social engineer doesnt stop at the individual; hell also familiarize himself with the target companys procedures. Arming himself with an understanding of your way of doing things can bolster him credibility.
This could even extend to a bad actor putting your employee (the targeted victim) on hold to listen to the very same hold music your company uses, which has been recorded in advance to help psychologically trigger a sense of familiarity. A good social engineer has plenty of tricks like this up his sleeve.
Strengthen Your Social Engineering Strategy
As social engineering attacks become more common, they also grow increasingly sophisticated. Every business from SMB to enterprise needs to devise a strategy to protect against this form of psychological manipulation.
Only 3% of malware Symantec Security encounters try to exploit technical weaknesses. The remaining 97% tries to trick a user through some type of social engineering. Thats a huge risk stemming from the people under your own roof.
Social engineering attacks cant be prevented with technology alone. Thats why the best social engineering strategy enhances the company through security awareness training. Your humans are, regrettably, your weakest link. Thus effective training is an ongoing effort to keep security a top concern for all employees.
Employees need training on several fronts. First, to address complacency; anyone who thinks, that will never happen here is a sitting target for the highly motivated and creative criminals out there.
Next, train employees to recognize social engineering approaches and to stop themselves before they take a potentially dangerous action such as:
- Opening emails from the spam folder or from unknown recipients
- Opening attachments to emails from unknown origin
- Failing to update antivirus protections and software applications
Provide Positive Reinforcement
You know the saying, fool me once, shame on you. Fool me twice, shame on me. You dont want your employees to be fooled, but you also dont want to rely on shame to get them to keep their guards up.
In training and testing, focus on successes rather than failures. Sharing accolades when someone in the company immediately warns IT of a suspicious email is more likely to foster employee support and build confidence faster than calling out regrettable mistakes.
At the same time, dont let your employees rest on their laurels. Yes, you want to start out small with social engineering training and testing, but plan to go bigger and get more challenging the more comfortable they become with the learning process.
By varying the pretexts of the social engineering and amplifying complexity over time, you can effectively educate employees on different attack vectors and help the company identify opportunities for adding additional technical controls to protect against real attacks.
Introduce Checks and Balances
Revisit your processes regularly. Are there places you can institute security double checks?
Common social engineering attacks rely on communications that create a sense of urgency or fear. Uncomfortable with these negative emotions, the victim is more likely to disclose information, download a malicious file, or enable access to sensitive data or systems without thinking first.
Encourage people to take the time to:
- Hover over any email links to see where they would be taken if they clicked
- Scrutinize the domain name an email communication is coming from
- Confirm that any online transactions are completed on a site that uses https protocol
- Be cautious when an individual calls asking for information try to establish the callers identity without giving any hints
- Question requests for quick action or any communication that makes the recipient feel pressured to respond urgently
- Verify requests that begin with I just need or ask the individual to help fix a simple problem. Needing just one little thing is too often an indicator of a big threat.
[*]Develop and communicate internal policies
[*]Implement an ongoing and frequent security awareness training program
[*]Use a security consulting firm to conduct regular social engineering testing
[*]Measure training effectiveness and identify deficiencies
[*]Update the security awareness program to address gaps identified during testing.
//Quoted. Thanks for reading.
