8 Defenses Against Phishing and Social Engineering
When the executive’s office phone rang, he reluctantly set aside his work and answered.
“Mr. Simms?” said a voice, “this is George, in IT security. I’m sorry to bother you. The system flagged a security problem with your login credentials. I can fix it, but first I need to confirm a few details.”
Mr. Simms was busy, but he knew IT security was a concern. For the next few minutes, he answered questions. Then “George” asked him to log off, and together, they went through the login procedures again, with Mr. Simms answering still more questions as they went.
In the course of just a few minutes, Mr. Simms had given up his date of birth, mother’s maiden name and password. “George” had scored a coup.
Government and corporate employees are routinely targeted by attackers seeking access to personal information, financial accounts, sensitive records and protected intellectual property.
It costs almost nothing to mount an attack, and no organization or individual is immune, says James White, chief information security officer at General Dynamics Commercial Cyber Services. “It’s not a matter of if, but when,” he says. The key is being prepared.
Here are eight ways White says you and your organization can ensure you’re ready when you need to be:
1 Be Skeptical
You get an email that looks legitimate, perhaps from a colleague, customer or vendor. It’s asking for financial information, such as an account number or code.
Study the email. Look for typos or anything else that might be suspicious. Don’t be too quick to respond. “Attackers are counting on the fact that you are busy and distracted to get you to click on something you shouldn’t,” White says.
2Use Your Mouse
Attacks are getting more sophisticated. The “from” address in an email may look legitimate, but it could be hiding an illegitimate reply destination. The link looks legit, but it could be masking an illegitimate address beneath the hyperlink.
Using your mouse, hover over the “from” line to see the email address behind the visible name; do the same over hyperlinks to see if the address looks legitimate. Still not sure? Try typing the root of the web address, or URL, into your browser to see if it’s a legitimate site.
“Be skeptical,” White says. “Don’t click on the links until you’re sure they are ok.”
3 Consult with Others
If something gives you pause, listen to your concern. “Ask yourself: Is it seeking sensitive or financial information?” White suggests. “That’s a warning sign. Is there a sense of urgency? That’s another caution. If you’re suspicious, follow through: Pick up the phone and call the sender. Did they really ask for this information? Do they really need it?”
That gets harder if the request comes from a supervisor or high-level executive, but don’t let it intimidate you – it’s exactly the emotion attackers hope to exploit. “If you’re intimidated, go to your manager or another member of the team,” White says.
In fact, organizations should consider embedding that kind of confirmation or double-checking in policy. Requiring peer-to-peer confirmation before fulfilling any request for financial, sensitive or security information is a wise practice.
“It’s all about personal discipline and education of the workforce,” White says.
4 Layer Your Security
No single tool or rule will protect everyone all the time. Any organization and any individual can be victimized, White says.
So building security in layers is important. Layers can include education and training for staff, technology to quarantine suspected spam and phishing emails and regular updates to ensure software is always up to date. Older versions of browsers can pose a particular hazard, because they represent the first line of defense against malicious websites.
“There are various tools available that can whitelist good sites and block bad ones,” White says. “You want to have your malware protections, you want to have firewalls in place, you want to have intrusion protection systems in place, all in addition to education. It’s really about staying on top of various threats and activities and tuning your systems to respond to those threats.”
5 Guard Your Personal Information
The most sophisticated attacks compile information about you and others in your organization and combine it to mount attacks. The more they know about individuals, the better they can look like an insider.
Experts call it social engineering – exploiting knowledge of people and relationships to trick them into giving up protected information.
Social media sites offer a treasure trove of personal information that can be used for this purpose. Facebook displays names and photographs, friends and acquaintances, birthdays and other dates of interest, personal interests and more – all of it useful in helping attackers build a clear understanding about you, which can then be used to spoof you or your friends and colleagues into giving up information. LinkedIn, similarly, provides a professional profile, with names and titles of colleagues and associates.
Both are useful, popular services. Both have value. And both can be abused, White says.
Using the highest privacy settings on Facebook will make it difficult for an attacker to see the kind of personal information that lives on that site. Limiting your LinkedIn page to professional information and declining invitations to connect from anyone not directly familiar to you will protect your connections on that site.
“Take advantage of the security controls they provide, but limit what information you share,” White advises. “If you put too much information out there, others will take advantage of that.”
6 It’s Not Just Email
Email is the most frequent form of phishing attack, but similar attack profiles can be mounted over the phone or in person.
“When you talk about phishing, email is only one form of it,” White says. “It could be a phone call where the individual is pretending to be someone they’re not, maybe another employee or a vendor. It might be a person accessing the physical environment, pretending to be a maintenance person or a co-worker.”
Tailgating – in which someone dressed to fit into your work environment follows you in the door without having to swipe in – is another form of phishing. Once inside, the individual can has breached the first level of security and can try to penetrate further, gaining access to other parts of the building, or trying to access computers by posing as an information technology specialist.
7Beware of Free Wi-Fi
You’ve just finished a meeting and you have another one in 90 minutes. So there’s time to stop for lunch or coffee and check your email. You take out your laptop and search for a free Wi-Fi signal. Sure, you’ve heard warnings about that before. But how’s it going to hurt just this once?
“Don’t do it!” White says. “There’s really tremendous risk when you log into free Wi-Fi sites, especially sites that allow you to log in without passwords required. You don’t know what you’re logging into. Is it valid?”
Attackers can set up a personal hotspot, give it a safe-sounding name, and set it to download key-logging software to capture passwords and other personal information. In the course of a single coffee break, you can give up the keys to your bank, social media and work network, never knowing what’s going on. “There’s no free lunch, and there’s no free Wi-Fi,” White says.
“The critical piece in all of this is workforce awareness and education,” White says. “At the end of the day, we rely on the individual. It’s not a matter of if, but when an attack comes. And when it does, we want to make sure that we’ve at least educated folks around it so they’re prepared.”
Education takes many forms, but long power-point presentations aren’t the answer. White recommends interactive training that forces participants to stay engaged all the way through, rather than skipping to the end and hoping they know enough to answer a couple of quiz questions.
Random penetration tests using PhishMe or other commercial vendors to mount mock phishing attacks are valuable training tools. When employees click on or respond to these emails, they are directed to warnings and quick training modules apprising them that they clicked where they shouldn’t have. “This provides a way to target additional training for those folks who need it, White said. “Over time you see improvement.”