Advice to IT Professionals on Social Engineering
IT professionals are accustomed to thinking about the technical aspects of security. However, as this report has shown, the human elementâ€”the techniques that attackers use to trick typical users into helping themâ€”has become just as important for attackers as the technical element, if not more so. By implementing effective technical safeguards, programs, and processes designed to defend against social engineering, you can help your users avoid being taken advantage of by attackers. You can even enlist them as some of your most valuable assets in the fight against security threats.
Your network provides the underlying infrastructure in which your applications are deployed. It is important to secure your network as a vital component of your defense-in-depth strategy.
Minimize and Monitor Your Attack Surface
- Limit the number of powerful user accounts in your organization and the level of access they have, because this will help limit the harm a successful social engineering attack can cause.
- Regularly audit your powerful user accounts. Provide them only to those who must have access, and to the specific resources to which they need access.
- Ensure these user accounts have strong authentication (strong passwords and/or two-factor authentication).
- Regularly audit attempts to access sensitive company informationâ€”both failed and successful attempts.
Create a Social Engineering Incident Response Plan
- Put in place systems to detect and investigate potential social engineering attacks.
- Create a virtual team to respond to attacks, and consider the following areas:
- What was or is being attacked, and how.
- Which resources are threatened or compromised.
- How to shut down an ongoing attack with the least amount of disruption to the business.
- How to recover from the attack.
- How to implement protections against similar attacks.
Create a Plan For Addressing Social Engineering In Your Organization
- Determine which threats have the greatest potential:
- Determine the resources attackers are most likely to pursue and those most critical to the business.
- Analyze attacks that have occurred against your organization and those like it.
- Determine where technology, policies, or company culture creates "soft spots" that are especially vulnerable to social engineering attacks.
- Determine how to address these vulnerable areas:
- Determine where technology or processes can be altered to reduce or eliminate the threats.
- Create policies that make it easy for people to perform secure actions without feeling rude.
- Create awareness training for those vulnerable areas that are most critical, and where technology, process, and policy may not address the problem sufficiently. Ensure that your guidance fits well within your organizational culture; it should be:
- Realistic. Guidance should enable typical people to accomplish their goals withoutinconveniencing them.
- Durable. Guidance should remain true and relevant, and not be easy for an attacker to use against your people.
- Memorable. Guidance should stick with people, and should be easy to recall when necessary.
- Proven Effective. Guidance should be tested and shown to actually help prevent social engineering attacks.
- Concise and Consistent. The amount of guidance you provide should be minimal, be stated simply, and be consistent within all the contexts in which you provide it.
- More details on how to create a process around social engineering prevention and response can be found in â€œHow to Protect Insiders from Social Engineering Threatsâ€ on Microsoft TechNet.