9.2 Defending Against Social Engineering Attacks

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

7 hours 17 minutes
Video Transcription
defending against Social Engineering.
Social Engineering attacks are one of the hardest attacks to protect against. But there are a lot of things you yourself or your organization can do to protect it.
So first organizations need to have a security policy that is enforced.
These policies need to explain the risk of losing sensitive information and explicit, explicit rules of how it should be handled. If or when that happens.
Having these security policies in place that are followed can stop a lot of attacks from ever getting started. A lot of organizations that we've run into while pen testing or worked at have a lot of the right security policies in place, but they don't actually enforce them, which makes it really easy
to bypass that policy.
So if there is an example, if there's a policy for employees to where or display their badge while in the building, it really needs to be enforced. Almost every organization that we've been tested has had this specific policy in place, but very rarely is it enforced, Which allows me as a pen tester or an attacker to just walk right in
and they're never questioned.
One of the biggest things in organization can do to help prevent social engineering attacks is to train their staff about social engineering threats, a well educated staff as a social engineers worst nightmare.
And there's a lot of ways that you can train your staff on social engineering and some of these we've mentioned, but again, they include active Social Engineering or phishing assessments, monthly security lessons or videos.
Um, one of my biggest pieces of advice, though is you need to make it interesting if it's the same old boring thing every single month, your employees are gonna tune it out and they're going to ignore it. If their slides, you'll skip right through them, do the quiz and forget about it.
And if you are doing the active social engineering or phishing assessments, you need to remember the goal of that fishing assessment. It's not to trick the users and make them feel um stupid or that they should have known about it is to educate them,
Help them understand why
they may have failed it or why they even passed it and did something good. It's good to bring it up both good and bad.
In order to create a well educated staff, you need to have that organized training session for all staff members
to create that well educated staff organizations really need to help them understand the threats. Your staff needs to understand that they can become a target and why they might become a target for a social engineer.
Another thing um the staff must do is they need to recognize that passwords and data should say confidential, no one should have access to confidential data except the verifiable and authorized parties of that data. Um One thing you can definitely bring up is maybe say
that I thi is never going to ask for your password via email or phone
really any good I. T. Staff. If they need to get into a person's account they can reset the password and let them know that.
So it's always up to staff to know who is in an organization and how to verify someone. If they don't know that person,
there also needs to be a culture that allows for everyone to be challenged on their identity. Even the highest ranking members of the Ceo or the board members. Um If employee feels they are being social engineering
they should explain why they can't help that person due to the company's policies. And again if these policies are in place and everybody is following them,
it's a lot easier to, to bring that up. It's hard to challenge someone if you don't know who they are, if nobody else is doing it. But if everybody's doing that, it makes it really easy to do.
So if a person is suspected of being an attacker or as continuing their attacks, security or other employees can be asked to assist by doing this, you can confirm if that person is truly an attacker and discourage them. Um, if they are an attacker or if they are
a real person, you should understand why they were, they were questioned like that.
securing communication data is another thing that's definitely important. Um, really technology is used throughout every company to help
um, communicate and that could be, you know, email, phone or instant messaging emails. One of the biggest ways that malware can make it onto a system,
A lot of emails can also contain sense of information that can be useful for Attackers. So if you've got your rules in place and they're being followed, it's a lot easier to help secure that communication data,
email passwords should be long and complex with two step verification able whenever possible.
And then again, sensitive data should not be stored on email long term in case of an account breed. So if they do need to send it, make sure it's deleted and actually removed from the email server as well.
When sending emails with confidential documents first, you need to make sure that it's only being sent to the authorized parties. And if you can encrypt that data um and send it encrypted.
Another thing that's important to do that maybe a little more difficult for certain organizations is to defend against electronic monitoring.
Um electronic surveillance devices like cameras and microphones can be planted by Attackers and they're really easy to get online and they're small, they're concealable, really easy to set up.
These devices can be used to spy on meetings to steal secrets or passcodes on alarm systems and other serious information breaches.
So there's several clues that an attacker has planted a surveillance device. Um Some of these things include like an outlet or plug that's off center, new items appearing on desks that
weren't there before
break ins with nothing taken
moved furniture,
unknown vehicles parked outside for long periods of time. Um If you notice interference on radios or tv sounds coming from a phone receiver, those could be clues that someone is listening in or monitoring via one of these wireless electronic devices.
There's a lot of other things you can look forward to, like holes in office equipment,
bumps or blemishes, their holes and ceilings or walls. Even
there's a lot of things that you need to look for, and sometimes it may be better to to hire security, professional, trained and tracking and detecting these devices. Um, If that's something that's really a risk for your organization, you can also purchase bug detector devices,
um, but they may or may not be useful depending on the staff and
usually your best band if if this is a risk for you, um, is to leave it up to professionals to look for them.
Up Next