Social Engineering Countermeasures

00:00

Hey, everyone, welcome back to the course. So in this video, we're just gonna talk about some of the countermeasures we could do against social engineering attacks.

00:08

So when it comes to passwords, for example, we can have a strong password policies eso

00:14

requiring our employees to change your password on a frequent basis, making sure the password is not easily decibel, making sure that they're actually using strong and complex passwords. Long passwords. We could also enable things like account lockout. So as an adversary, or someone enters the password too many times incorrectly,

00:32

it will actually lock out the user account and require them to take some action. Maybe,

00:36

for example, placing an I T ticket or just contacting the I t department.

00:41

We could have physical security policies so requiring things like i d badges for employees requiring them to wear like a uniforms. So we know Hey, this this is an actual employee assed faras like guest. We could make sure that we're escorting visitors, so we have a policy that visitors have to be escorted everywhere in the building.

00:59

We can restrict access to certain areas, so making sure that Onley the people that need toe

01:03

get in that area can actually physically access it

01:07

and also making sure that we shred any type of sensitive documentation operational guidelines. So this is where we can talk. Talk about making sure that our sensitive information is secured and again going back to what we talked about just now with physical security of making sure we segment that access out. We wanna make sure that Onley, the right people

01:26

or individuals can access

01:29

the right information

01:30

training our employees. This is actually a pretty big one.

01:34

The more we can help our employees identify that they're being socially engineered, the more likely they are to not fall for it. So the more we can educate them of saying, Hey, Attackers will use a phishing email. So if your email looks like this or this or it has these types of things,

01:52

then it may be a phishing email. Let's have you contact the I T department.

01:55

Someone will come take a look and make sure it's either legitimate or it's not. You can also encourage them to call the person. So, for example, if they get an email saying, Hey, you need to wire me a bunch of money right now to this new account to pay this vendor. You actually have them call that person and say, Hey, did you sent me this email

02:14

and make sure it's an actual legitimate request

02:15

identity and access management. So making sure employees enable things like two factor authentication again, going back to the password policy, making sure that the passengers themselves are strong long and are complex. And we're using things like special characters were using assaulting our hashes, etcetera, etcetera.

02:34

Also these days using things like zero trust, right. So requiring continuous authentication and not just saying Okay, you're good, because that way an attacker can't just take over that session and pretend they're us, right? If we're continuously making them prove their identity, then we can help protect our organization a little bit better.

02:54

And so some other things that we can do is number one classifying the information so identifying

02:59

what is actual sensitive data? What do we actually care about? What's critical data for our organization? Uh, this could be things like intellectual property. So, like, patents, trademarks or just I P itself could be classified information. If you're in the in the government sector, right? It could be secret information or top secret or whatever Classifications your

03:19

particular government where you live uses.

03:21

So this classifying that information, identifying what's actually critical to the business or the organization and then adding classifications to that. So we know this is a sensitive stuff. Hey, we don't care about this stuff over here too much. So that way, if there is an attack, you know, did we lose something that was actually critical to our organization?

03:42

So being mindful of background checks on our employees and what this means is basically a lot of times if someone's caught a criminal background And by no means am I saying that if you've got a criminal background, you're gonna be a easy victim for social engineering attacks. But just based off

04:00

some of the things we've seen out there,

04:02

if you have a criminal background depending on what it is, you may be more inclined to provide information for financial gain to an adversary, right? Also employees that were terminated, maybe individuals that the the adversary reaches out to and says, Hey, I see they did you wrong. They fired you. They shouldn't have done that, blah blah, blah

04:23

and hey,

04:24

do you want to turn an extra $25,000? And if the person is in a financial situation where they don't have savings or another job lined up, they may take you up on that right? They may give you that information because they don't deem it that sensitive. But for you, the adversary, that's critical information that you needed. So we need to make sure when we're terminating employees that we

04:44

going back to the identity and access management we need to make sure we have policies in place

04:46

that will ensure we've terminated those accounts. So, for example, I should not be able to use my log in at a previous company right now, right? Because I'm no longer there. I've seen that, though in the past, in my past experience, especially in healthcare,

05:03

is a lot of times I'd still have this like my account would still work right. I'd still be able to log in and check things or whatever on didn't I didn't do it in nefarious way. I did it just to check like my email or whatever, to make sure that I had set the responder on saying, Hey, I no longer work their work. They're just so that way

05:23

we give them time to actually like,

05:24

close my account. But

05:26

I found those things right and that, and I was one of the good guys, right? I was one of the good people that didn't exploit that. But I could have, right, because I'm I'm sure I still had access toe things like the medical record systems, etcetera. I just didn't go through and do that stuff because I'm not a bad guy, right?

05:41

But we need to make sure that we have those policies and procedures in place. So when we do terminate employees, we don't have as much risk their of them using the credentials or those credentials being exploited by an outside adversary,

05:56

making sure we're make sure that on our end points were using things like anti virus or anti Mauer solutions,

06:00

um, as well, Azaz, making sure that we're using these things

06:04

in our mail system. So, for example, if I'm sending a malicious link via email in a phishing attacks, your employees, hopefully you're scanning that link and making sure and saying hopes there's malware or we suspect this Mauer at that link. So let's go ahead and just block this email because it looks like it's spam.

06:21

So let's just talk briefly about some of the ways you can kinda identify. Is this a phishing email? Well, number one, let's say your bank doesn't email you. Then why would you expect your bank to email you all of a sudden? Number two like the I. R. S. They don't email you. They send you a letter

06:38

and say, Hey, you owe us money or were investigating you or whatever the case might be, you'll get communication from them directly via, like, male. Right? So one of the biggest things just understanding, like how theme? The bank or the I. R. S or the FBI or

06:55

or any number of organizations, how they actually communicate with you, Right? What's the normal

06:59

process for that communication? Now what we're talking about phishing emails themselves look for, like, generic greetings, right? Like deer. Like this example. Dear online banking customer. Your bank doesn't send that message right? They don't send that message their messages. Typically, it'll be around your account like, hey, your statements ready or something

07:18

for you to view

07:19

and then never click on it and from the email, like, Actually go to your banks website and go look at your statements if you get him. Elektronik Lee. So look for that generic greeting that, like would go toe anybody across the board.

07:31

You could also look at the email header info. So let's just say, for example, your companies using Gmail eso you could just go. You could look at the original email and identify information around the header and make sure it's actually coming from that source, right? So, for example,

07:45

this one says fraud at Bank of Americans dot com. But you could actually look and see where that really originated from the originally I p address, etcetera, etcetera.

07:55

There's usually a sense of urgency about these phishing emails. It might be pay. You gotta log in within 24 hours or we're gonna black your account. It might be might be something as simple as like a coupon via phishing email, right? Hey, this coupon expires in the next 24 hours, so there's a myriad of ways that a phishing email might come across,

08:15

but there's usually some kind of sense of urgency around it. might be the i. R s email. You Not really Iris, though, but might get an email from the IRS Quote unquote i r. S. And they may say you need to contact us within 24 hours or you're gonna be arrested, right? The Secret Service will arrest you. It's like that doesn't make any sense. Right? Because

08:33

if you're in America and you're familiar with this type of system, you know

08:37

who will actually come arrest you? Um, it'll be someone from the Department of Justice. The I. R s criminal investigators. Don't Don't actually last I knew have authority to arrest you. So knowing those things can help protect you as well, because you know how the normal process works.

08:52

Grammar spelling airs. This can be an indicator, but also understand that, like,

08:58

I mean, I've gotten emails because I'm on email list for, like, Fortune 100 companies of 500 companies and like their teams or misspelling stuff. So this isn't always an indicator, but it is another kind of thing to check off and see if there's any type of grammatical errors or spelling errors in the email.

09:15

The website link itself. So if you're on on like a laptop or desktop and you hover over it. Let's say they say, Hey, go to google dot com and you hover over it and it sends you thio alibaba slash Russia dot You know CIA or something. You know it's not legitimate, right? Because why would it really be redirecting you over there?

09:33

This is difficult to do our most mobile devices because you

09:37

really can't hover. But I would typically tell people,

09:41

um, for links, throwing through virus total real quick or go on a laptop or something so you could see where that link actually goes. I don't click any links from my mobile devices

09:52

and look for the images and see. Do they? Do they look official like Do they look like what the banks one should be on did this example here? You see their bank of Americans like That's not even a real bank right? But they're trying toe mimic that Bank of America and

10:11

pretend that they're them, right? So do they have official looking images in the email? And if so, do those actually line up with the actual bank itself? Or are they trying to do a play on the words, right? So, for example, instead of Bank of America, Bank of Americans and a lot of people in a rush, they will look at that and not even notice the difference.

10:31

So that's a quick, quick question here for you. Some best practices around passwords include which of the following should they be decibel? Should we lock people out after a certain number of failed logging attempt? Or should we have long and complex passwords?

10:45

All right, so if you guess the one here, uh, we wanna lock out, right? We wanna lock out after a number of field log in attempts. Um, that way we make sure

10:56

we're not allowing those adversaries to get into our accounts and then also having those long and complex passwords using things like two factor authentication as well.