Attacks on US enterprise systems and infrastructure continue to increase in severity and quantity. Some target specific organizations themselves, seeking their “crown jewels” such as intellectual property. Other attacks are carried out solely for financial gain, and target both consumers and the organizations that hold consumers’ personally identifiable information. While some high-profile attacks make splashy headlines – nation state espionage and high-profile data leaks – countless others remain undisclosed and, too often, unrecognized by victim organizations until after crippling damage has been done.
Social engineering represents a major and ever-increasing threat to businesses. Attackers know that a company’s weakest link is its employees, and they will continue to find new, innovative ways to exploit this via sophisticated phishing attacks and other methods. Here’s a look at some of the most common social engineering attacks today:
- Spearphishing: Contrary to popular belief, today’s spearphishing attacks are highly calculated and carefully crafted to be relevant and un-alarming to the user. It’s not as easy as most people think to spot a spoof, so employees must be trained to question and validate unprompted links by calling the sender, sending a separate follow-up email or checking via services such as https://www.virustotal.com/.
- The rogue technician: Under the guise of technicians or delivery people, stealthy social engineers walk right into organizations and can physically compromise the network. Employees should heed basic “stranger danger” trainings and ensure anyone who enters the building has an appointment or pre-established purpose.
- Malicious websites: Often, malicious websites are disguised as corporate or partner sites, and will prompt visitors to update java/Adobe or install a specific plug-in. Users should always close the browser and open a new one to directly update java or Adobe from their official sites. If users are prompted for a specific program or missing plug-in, they should close the browser and send an email to the website asking about the specific configuration issue.
- Device attacks: The rampant adoption of personal, connected technologies by workers and their reliance upon them for day-to-day business communications has provided exponentially more pathways for bad actors and social engineers – and they cannot be secured. Organizations need new ways to detect employee-owned and rogue devices in and around their workplaces to gain the full visibility needed to prioritize security response, reduce alert fatigue and provide situational intelligence to implement real-time remediation.
Since so many employees today use their personal devices at home and on the job, enhanced awareness and employee training on the dangers of social engineering is more critical than ever before. This starts with focusing on the devices they’re carrying, where they are being used, and what they are connecting to.
Here are four best practices for employees to follow to reduce their own personal attack surface, as well as that of your organization:
- Don’t connect to open wifi: Anybody can connect to them, and there could be traps set up to trick you (sneakily labeled hotel wifi, free wifi, airport wifi, etc.).
- Configure your phone so it does not automatically search for and connect to wifi: Always require your phone to “ask to connect” instead of connecting automatically.
- If you don’t need your wifi and Bluetooth, turn them off while you’re out and about: Period.
- Password-protect your phone: Don’t let your device fall into the wrong hands without a password in place – particularly if you use your personal phone for business use. Also set up the “wipe phone” feature after several incorrect password attempts.
Stay safe out there!