Over recent years, cyberattacks are getting harder to prevent despite billions of dollars spent across the global economy.
Many large corporates have fallen victim to cyber-attacks like these; surprisingly, many of them possess a strong technology background, and millions of dollars spent into the security budget. But history keeps repeating. Why?
Just quite recently, Garmin was reportedly held ransom by a group of cybercrime syndicate from Russia. According to the reporter, the outbreak has caused Garmin millions to resume its Connect systems.
Fundamentally, there is no silver bullet in dealing with cyber attacks. Research has shown that 97% of the time, attackers gained access to the company’s system by targeting the company’s employees via social engineering.
Let’s have simple thoughts:
- Have you shared your date of birth, favorite numbers, characters, movies, pets on social media before?
- Have you ever tagged your family members with their full name on social media?
- Have you ever chatted with strangers on the Internet?
- Did you sign up free movie/music streaming site?
- Did you usually check email headers for important emails?
One of the top security risks is through emails. Many of the cyber frauds happened when the Finance department or authority level approved transfers without validating the content legitimacy.
However, intelligent targeted-attacks can go beyond that to make the emails looks pretty normal. The only problem is, the email didn’t come from the employee himself; he/she probably didn’t even realize the email was being sent while on vacation. How do the cybercriminals know?
Well, probably, the employee is posting his/her vacation photos on his social media account. Therefore, in such a situation, the hackers do not even need to put extensive effort into hackings where the employees already did them a favor.
It is reportedly 500 million USD was being scammed in the U.S. alone due to email account compromised.
It is not just about technology. It is about user awareness.
Here are some common Social Engineering tactics:
- Phishing – attackers will imitate as another party that is common or well-known to the victim, tricking them into providing their own sensitive information like password or credit card information.
- Watering Hole – attackers will exploit the weakness of a legitimate website that is commonly visited by their target group, a backdoor trojan will be installed within sites. When visitors visit the site or download something from the site, the backdoor trojan will be installed on the victims’ device.
- Whaling Attack – also known as speak phishing, which typically targeted towards individuals with access to highly sensitive information. The message towards the victim is crafted personally to obtain the victim’s trust.
- Pretexting – attackers will create a fake identity, then use it to communicate with his target to obtain private information.
- Baiting and Quid Pro Quo Attacks – by tricking the victim into believing something useful will be provided to them, attackers normally use this tactic to plant malicious software into victim’s device.
- Vishing – voice phishing, similar to a typical phishing scam, but carry out over the phone.
- Scareware – display warning over the victim’s device and offer them a “solution” that can “solve” the problem, but really the “solution” itself is the malware.
For business, it is difficult to entirely prevent social engineering attacks because you don’t know who in your company will be the next target. But it doesn’t mean that we cannot close the gap.
Here are some tactics that each company should consider implementing to prevent an attack:
Periodically Security Awareness Workshop
Company should organize a security workshop periodically, for instance, every 3 months or so. Not only it allows staff to get an update on the latest cybersecurity tips, but also to refresh their memory, or these details are easily forgotten over time. It can be conducted by external consultants or by an internal IT team. Best would be a combination of both; an external consultant can be a good source to transfer knowledge to the internal IT team.
Implement Privileged Access and Credential Control
The objective of social engineering attacks is to obtain someone’s credentials within a company, most of the time, someone high enough in the hierarchy. So, security policy related to credential and access would mitigate most of the risks, or at least make it complicated enough, so they turn to another target:
- Set up two-factor authentication.
- Assign one credential to each individual user and with access control related only to their own work.
- Enforce password change every 3-6 months for a company device.
- Personal devices shall not connect to the company’s networks without any VPN or equivalent encryptions.
Network Monitoring and Latest Security Patch
Some social engineering tactics involves installing malware and backdoor within the company’s network. Hence, setting up a 24/7 SOC (Security Operations Centre) with comprehensive SIEM to proactively detect abnormalities will help to prevent further damages if your first line of monitoring defense fails. While setting up a SOC within the company is a huge expense, working with a Managed Service Provider (MSP) with SOCs offering is a more viable choice.
Deep Vulnerability & Assessment Test
As social engineering tactics are evolving, conduct regular tests, coding reviews towards your critical system, and business process against these latest tactics as an example helps to identify loopholes in the company’s operation. Of course, a periodic Penetration Test by an independent party is able to reveal symptom and root cause on a deeper level.
Email is still one of the main culprits in cyberattacks. In 90% of all cases, the attacks begin with an email via ransomware, phishing, CEO Fraud and others.
Therefore, remember to invest in email security as well when upgrading the company IT security. Email security is not only about anti-spam or anti-malware. We have partners like Retarus GmbH has taken email security to the next level.
Advanced features including:
- Patient Zero Detection – the attacker, is coming out with new tactics every day, but Patient Zero Detection is able to identify and block these new attack patterns as soon as it appears.
- Advanced Threat Protection – including virus scanners, deferred delivery scanning, time-of-click protection, CEO Fraud protection.
- Data Loss Prevention – ensuring confidential data doesn’t end up somewhere outside of company’s network, be it a result of an attack or merely human error