Defending against social engineering and spear phishing attacks
September 2014 | PROFESSIONAL INSIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
How many corporate executives, or their executive assistants, would ignore an email from the CEO where the subject line included the words ‘Urgent’ and ‘Reply immediately’? The challenge employees at all levels face today — including senior executives — is distinguishing legitimate emails from highly targeted attacks, known as spear phishing attacks, which are designed to get the reader to open a message and click on an link to an often legitimate website which may contain an infected component designed to compromise the corporate network.
Spear phishing and social engineering are as popular today as their non-technical predecessors because they prey on human emotion and are effective and produce valuable results. The internet contains a wealth of personal and corporate data that can be used to convince unsuspecting targets that the phishing emails are valid. Cultural and corporate norms dictate that when a senior executive makes a request, the recipient of that request must respond. In many cultures (think about the offshore component of your organisation) it is considered good manners to assist someone who makes a request without question even if the two individuals are not acquainted.
Potential attackers can obtain a tremendous amount of information about a target company and the appropriate employees to attack simply by reviewing corporate websites, corporate social media sites such as LinkedIn or Twitter, and personal Twitter and Facebook accounts of employees who fit the target profile. With publicly available information, it is not difficult to make an attack look like message from a friend or colleague.
Given that almost all phishing attacks are initiated for financial gain, let’s assume that a cyber attack is designed to obtain banking or payment information or other Personally Identifiable Information (PII) from a company that sells widgets. The attacker could determine which corporate officers will be speaking at the widget convention by checking speakers lists posted online. A quick search of LinkedIn can determine whom this employee reports to and who reports to the speaker. A targeted email to staff that is designed to appear as though it comes from the speaker might come with a note that says “Please post the attached photo of me speaking at the Widget trade show on the web site”. The photo itself could contain malicious code which has been intertwined into a legitimate picture.
Or perhaps a company is advertising for a database administrator with experience using a specific database product. An attacker then will know details about the company’s inner workings and can build an attack payload designed to exploit that software.
Such attacks are not new. A similar approach was used several years ago when several employees in the human resources department at the data security firm RSA received emails that claimed to include a business-related spreadsheet. Even though the company’s email filters correctly identified the attachments as infected, one employee still clicked on the link, beginning a chain reaction of malware that eventually compromised the corporate network and customer security keys.
Social engineering works because it is in our nature to be helpful. In order to improve cyber security at all levels within a corporation, the entire staffs of companies need to be educated to be more circumspect about requests made by people the staffer does not know. Additionally, corporate executives need to create a climate of acceptance when an employee asks for confirmation of a request rather than just assuming any email they receive is authentic.
Stronger email security controls are helpful, but the answer to social engineering is not just technology. For example, if an employee receives an email from someone ostensibly within the company asking them to do something outside of their normal activity, such as providing access to a departmental computer the requestor normally would not have, or requesting login credentials for any reason, the company should have a written policy for how to handle such requests to confirm their authenticity.
Sometimes a support engineer might receive a spear phishing phone call or email from someone pretending to be a temporary employee or a contractor asking for network access credentials. Before the support personnel provides the access requested, they should be required to authenticate the caller, perhaps by checking with a departmental manager responsible for personnel, who can confirm the request is valid.
But social engineering is not just done electronically, nor is it always done to company employees. Imagine that a company has a cleaning crew that enters a company at 11pm each night to perform their services. Now imagine that a man in an expensive suit carrying a briefcase tries to walk in behind the janitorial service members or asks someone to hold the door for them without presenting their card key credentials. Would the service worker know that it is their responsibility to stop and tell the ‘tailgater’ that they need to swipe their own card for entry and that company policy does not allow for someone to enter without presenting valid credentials?
Defending against social engineering attacks
The most effective tool companies have to defend against social engineering and spear phishing attacks is education. Written policies and procedures that are reviewed with every employee at least on an annual basis significantly improve a company’s ability to defend against social engineering attacks.
Educated employees trained to be aware of unusual requests or behaviours that violate company policies and procedures, no matter how seemingly innocuous, can make the difference between a successful attack and one that is stopped before it starts. This is especially true for requests that that include confidential information or access to corporate IT resources.
For example, does a request, be it by telephone or email, pass the ‘smell test?’ If a request seems to be out of place, employees should confirm the requestor’s identity and the validity of the request before providing confidential information.
Management buy-in is essential to reward employees for verifying potential phishing requests rather than punishing them for wasting time by ensuring a request is valid. Corporate culture can make a big difference between employees wanting to help the company remain secure or ignoring what might be a potential attack.
Companies also need an Acceptable Use Policy for employees’ use of personal devices connected to the corporate network. While the perimeter of the corporate network might be well protected against viruses or malware, an employee who connects their personal device to the network is bypassing much of the company’s security infrastructure.
An Acceptable Use Policy is essential for helping employees understand what they can and cannot do on the corporate network, but it is almost meaningless if the company does not share it and discuss it with employees on a regular basis. Keeping employees involved in information security policies and explaining why these policies are important to the company will improve compliance significantly.
Even if a company’s IT or security team has yet to identify a network breach, best practices dictate that it should operate as though the network has been breached and the attacker is still there. By assuming there are attackers within the network, everyone can be on the lookout for anomalies and requests that seem out of place.
Vikas Bhatia is CEO of Kalki Consulting. He can be contacted by email: firstname.lastname@example.org.
© Financier Worldwide