The Weakest Link: Securing The Human Element From Cyberattack 

By: Chris Clements, VP of Solutions Architecture

Before the internet, such cases tended to be limited by a bad actor’s reach — there are only so many doors you can knock on or people you can approach — but the internet allows criminals to reach millions in a matter of seconds. It has spawned its own discipline for exploiting human trust — social engineering.  

The scale on which bad actors can act has magnified the problem. Phishing specifically is the initial attack vector for thousands of cybersecurity compromises every year but isn’t the only form of social engineering. I’ve personally run many social engineering operations on behalf of customers to test the resiliency of their personnel. It’s deceptively easy to gain physical access to sensitive locations by following behind people through secure doors, a technique that’s part of a “physical penetration testing.” Yet another method uses phone calls and text messages. Awkwardly named “vishing” and “smishing,” this has been demonstrated to be WILDLY successful by the LAPSUS$ cybercriminal group in compromising some of the largest and seemingly most secure companies in the world, simply by making calls to their help desk. 

The Solution 

As problems go, social engineering is a difficult one. We want our personnel and coworkers to work together and to have trust in communicating with vendors and customers. However, we don’t want them to fall victim and put the business and its customers at risk. There are several ways organizations can help put their personnel in the best position to identify and respond to social engineering attacks. First, IT departments should use software that filters spam and phishing emails and implement technical controls, which will keep most attacks away from their users. Next, any emails from domains other than the company’s own should be clearly marked as “external” to make identifying impersonation attacks easier.  

Training users themselves to spot social engineering attacks like phishing has been a controversial topic with cybersecurity experts. Some argue that it’s at best a waste of time, at worst a means of eroding personnel trust, and that users will never be able to identify 100% of all attacks. I understand their point, and I have seen some training programs that I do believe are actively harmful. That said, I fundamentally disagree that it isn’t worthwhile. The National Highway Traffic Safety Administration reports that the average driver in the United States will be involved in three to four crashes in his or her lifetime. That means most of us will likely have this unfortunate experience, but that doesn’t mean we shouldn’t be educated on defensive driving best behaviors. Moreover, as averages go, we all know people who have never had an accident and others who seem to be magnets for them. As an organization, being able to identify and focus efforts on training those who seem more “accident prone” with social engineering can bring a nice balance between being a nuisance to safer users and providing adequate training to those who need it most. Beyond training, however, there still needs to be procedures in place for personnel to verify the legitimacy of any communications they receive, regardless of the source. They should know where to send a suspicious email to have it validated (and this process should take minutes, not days, else they will be disinclined to use it), and they should have standard identity verification procedures for any inbound calls or text messages. Finally, make sure that users understand how to report social engineering attacks. Doing so gives you a way to communicate the attack and raise awareness so that others don’t fall victim. Organizations should also want users to feel safe reporting an incident if they do fall victim to an attack so the incident response process can begin immediately. 

Dos and Don’ts  

Do

• Clearly mark emails from outside the organization as external 
• Employ personnel verification procedures to validate identity 
• Train employees on common attacks and scams, and how to respond 
• Test common attack scenarios such as password reset or fake invoice emails 
• Update these procedures and retrain as attacks evolve 

• Clearly mark emails from outside the organization as external 
• Employ personnel verification procedures to validate identity 
• Train employees on common attacks and scams, and how to respond 
• Test common attack scenarios such as password reset or fake invoice emails 
• Update these procedures and retrain as attacks evolve 

Don’t

• Train so often it becomes a nuisance 
• Train so infrequently it isn’t reinforced 
• Don’t be punitive with users who make mistakes. You want them to feel safe reporting if they think they may have fallen for an attack 
• Don’t send phishing training promising bonuses, gift cards, or other monetary means. Yes, it’s mean and gross when cyber criminals do it, but it’s mean and gross for you too. 

Want to learn more about cyber awareness training? 

The post The Weakest Link: Securing The Human Element From Cyberattack  appeared first on CISO Global.

*** This is a Security Bloggers Network syndicated blog from CISO Global authored by CISO Global. Read the original post at: https://www.ciso.inc/blog-posts/the-weakest-link-securing-the-human-element-from-cyberattack/