Protecting Your Users from Social Engineering
When it comes to information security, the weakest link might be something that no amount of software code and encryption can fully protect - your users. Social engineering is the practice of manipulating people into disclosing information that can help an attacker gain unauthorized access to your data (the Jimmy Kimmel Live show recently demonstrated a hilarious example of this). As intelligent as people are, they are also governed by factors such as fear, anxiety, empathy, bias, pride and a desire to help - all of which can be used to an attacker’s advantage.When exploring how social engineers work, it’s clear how insidious an attack can be. Attackers often only need very small pieces of information, which are individually harmless. In 2012, a writer for wired.com reported that a hacker was able to take over his digital life and gain access to his Google, Twitter and AppleID accounts. In his case, the four digits of his credit number, which were discovered from his Amazon account, were the same digits that Apple accepted for identity verification. In another case, the owner of the $50,000 @N Twitter handle, Naoki Hiroshima, was forced to give it up when an attacker used social engineering techniques to take Naoki’s GoDaddy account hostage.Despite the name sounding like one of the coolest professions to be in, social engineering is a real problem for businesses. According to a 2011 study by Check Point Software Technologies, almost half of the companies surveyed had experienced over 25 social engineering attacks in the two years prior and many cited an average incident cost exceeding $100,000. Most social engineers are motivated by financial gain, but revenge is also a factor. New employees, contractors and executive assistants are the most susceptible to social engineering attacks.Every year, the DEF CON Hacking conference holds a competition to surface the most effective social engineering techniques to answer one question - how do we protect against social engineering? Due to the covert and unpredictable nature of social engineering, it’s imperative to assume you have been and always will be a victim of social engineering attacks.Prevention involves having and enforcing strict policies to restrict access to information and physical on-premises resources, and educating users about how to identify an attack. Multiple points of identity verification (i.e., using an outbound phone call to confirm the identity of a user) are also key to ensuring that privileged information is shared with the correct person. Finally, if an attacker does gain access to a system, it’s imperative that administrators can contain damages by revoking access to accounts and remotely wiping data from devices where possible.Egnyte has partnered with Duo Security to offer a robust Two-Step Login Verification system, which IT admins can use to enforce identity verification to prevent social engineering. Egnyte also offers advanced authentication and a device control suite that allows admins to lock out user accounts and remotely wipe data on devices to mitigate the damage of unauthorized access.