True North Networks Blog
Social engineering: How Criminals Take Advantage of Human Behavior
What is social engineering?
Social engineers take advantage of human behavior to pull off a scam. If they want to gain entry to a building, they don't worry about a badge system. They'll just walk right in and confidently ask someone to help them get inside. And that firewall? It won't mean much if your users are tricked into clicking on a malicious link they think came from a Facebook friend or LinkedIn connection.
What are the bests ways to defend against social engineering?
- Train and train again when it comes to security awareness.Ensure that you have a comprehensive security awareness training program in place that is regularly updated to address both the general phishing threats and the new targeted cyberthreats. Remember, this is not just about clicking on links.
- Provide a detailed briefing “roadshow” on whaling and the latest online fraud techniques to key staff.Yes, include senior executives, but don’t forget anyone who has authority to make wire transfers or other financial transactions. Remember that many of the true stories involving fraud occur with lower-level staff who get fooled into believing an executive is asking them to conduct an urgent action — usually bypassing normal procedures and/or controls.
- Review existing processes, procedures and separation of duties for financial transfers and other important transactions such as sending sensitive data in bulk to outside entities. Add extra controls, if needed. Remember that separation of duties and other protections may be compromised at some point by insider threats, so risk reviews may need to be reanalyzed given the increased threats.
- Consider new policies related to “out of band” transactions or urgent executive requests.An email from the CEO’s Gmail account should automatically raise a red flag to staff, but they need to understand the latest techniques being deployed by the dark side. You need authorized emergency procedures that are well-understood by all.
- Review, refine and test your incident management and phish reporting systems. Run a tabletop exercise with management and with key personnel on a regular basis. Test controls and reverse-engineer potential areas of vulnerability.