Fighting Against Social Engineering Attacks.
Last week’s news that the popular password manager LastPass had been breached sent many of its users into a panic, rushing to change their “master passwords.” The reality of the situation is, however, that the stolen master password data was well hashed, making it essentially useless to those on the outside.
So there’s absolutely no worry then, right? Wrong.
The real issue at hand is the stolen email addresses that went along with this breach. Cyber criminals can employ social engineering tactics to take advantage of the people (and businesses) to which these emails belong.
The cyber criminal who knows the origin of the email list they possess can send legitimate-looking phishing emails with various traps:
- A link to a website containing malware that can compromise the user’s computer, capture passwords, steal sensitive data and even launch denial of service (DoS) attacks;
- A convincing subject line and body text prompting the recipient to disclose login credentials, payment information or other sensitive data; and
- Content that serves as a pretext to more elaborate, follow-up social engineering attacks.
Phishing campaigns don’t always necessarily come from data breach events, however. Many commonly-used corporate tools are subject to phishing emails. The popular remote access solution LogMeIn is one of hackers’ favorite corporate business tools to exploit.
What should you do?
Human beings are often the organization’s weakest security link, especially when it comes to social engineering attacks. Organizational security awareness training is essential, because as focused, targeted social engineering attacks become more prevalent, they require greater awareness to identify and respond appropriately.
When it’s done right, security awareness training can provide more value than simply attempting to mitigate the risk using technical controls. Security awareness training should be engaging, increasing employees’ understanding of the social engineering methods and techniques employed by criminals, as well as their role in the organization’s ability to withstand these types of attacks.
With a solid security awareness training program in place, additional technical controls will provide the final defense against social engineering attacks. Organizations should employ strong email and web-content filtering solutions and ensure that software is updated on a regular basis, focusing on the applications that social engineers target most (e.g. web browsers).
Additionally, application white-listing and file integrity monitoring solutions can provide an added layer of defense against malware or other suspicious software installations.
My colleague Dante LoScalzo and I recently held an educational webinar that will help you better understand and arm your employees against social engineering attacks. View the webinar replay.