The recent attack on Twitter that resulted in the takeover of numerous high-profile accounts including but not limited to those of President Barack Obama, Kanye West, and Tesla CEO Elon Musk, has brought to the fore the issue of social engineering once more.
A series of tweets from Twitter's support channel indicates that its internal systems were hacked, with attackers doubling as famous personalities or brands, offering users a double your stakes deal on Bitcoin.
Twitter wrote: "We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools," the first tweet read. "We know they used this access to take control of many highly-visible (including verified) accounts, and tweet on their behalf."
Twitter hasn't fully elaborated on which tools were used or how exactly the attack occurred, but some sites reported access was obtained to an internal admin tool that allowed account emails and passwords to be reset.
What is social engineering?
Most malware attacks occur through a form of social engineering. The methods evolve rapidly, meaning most security solutions, security policies, and operational procedures alone cannot protect critical resources. At its core, social engineering occurs when hackers manipulate your employees into compromising corporate security. Employees unwittingly reveal sensitive digital information needed to bypass network security such as passwords, or in physical scenarios unlock office doors for strangers, or hold them open to be polite, without checking someone has appropriate access and identification. As security has improved, there is still a significant loophole: your employees.
Attacks on human judgment are immune to help from even the most sophisticated security systems organizations can buy.
Battling offline frailties with awareness
Overcoming this frailty is not completed by a software purchase; it requires a fundamental change of culture and improved regular education.
Instilling a security-aware culture includes ongoing training that consistently informs employees about the latest security threats, as well as policies and procedures that reflect the overall vision and mission of corporate information security.
An increased emphasis on security helps employees understand the potential risk of social-engineering threats, how they can prevent successful attacks, and why their role in adopting the security culture as their own is vital to organizational health. Security-aware employees are better prepared to recognize and avoid these rapidly changing and increasingly sophisticated social-engineering attacks and are more willing to take ownership of security responsibilities.
The criminals using social engineering are continually creating and deploying new attacks, forcing employees to recognize and deter threats that are outside of their specific security experience.
Quite often, a social-engineering attack is successful because it takes advantage of real employee names, dates of birth, partial passwords or authentication schemes, and other carefully gathered intelligence. They obtain this information in many different ways. So much information is unwittingly given away, clues are on their social media by your employees, they can be watched entering passwords and PINs into laptops and ATMs, and some will even searching through corporate waste bins. By providing some real information, attackers can convince innocent employees that they were involved in legitimate transactions.
Some of the attacks in recent years were created with stolen information so sophisticated that employees didn't even know that they had enabled a security breach.
Today, many hackers integrate technology into their schemes to launch even more creative, sophisticated, and destructive attacks. Two examples of social-engineering techniques that incorporate technology are phishing and pharming.
Beat the attacks with a culture change
Most attacks work because of one key ingredient attackers have, but you don't – time. By changing tactics regularly and incorporating business information and technology into their schemes, attackers have created an evolving landscape of highly sophisticated and malicious attacks. As a result, security teams must go beyond merely training employees periodically, instead, they must empower employees to recognize potential threats and make correct security decisions on their own so that even very realistic requests for secure information are met with skepticism and caution. Embedding security awareness this deeply in the minds of even the most junior employees is a significant challenge. Still, it is a known weakness that will continue to provide a backdoor to your corporate IT systems and present regular data management issues.
Making a culture of security within your organization is not a matter of issuing an email or a training video. Senior leadership buy-in, ideally CEO level, is the only way to ensure success across all departments. By understanding the outcomes of getting it wrong can make this a business issue of the highest order, means middleweight management are not senior enough stakeholders to support its rollout.
First, you must agree on core principles and create a vision for data management and data security specific to your organizational requirements. These principles give employees ownership of corporate security, accountability for their actions, and the expertise to cope with existing and emerging social engineering threats.
Every executive and employee must understand the risk of security breaches, the security procedures that can protect them from attack, the reason for each procedure, and the overall goals and limitations of enterprise security. Employees must understand that they are the last line of defense against hackers. If an attack is relying on social engineering, it is likely so because they cannot digitally breach the walls of the corporate IT systems any other way.
A social engineering attack is a personal attack. Hackers know an employee is a weak link in a security system. We are human after all, and capable of falling victim to deception, and our varied responses can give attackers new opportunities for success. And worst of all, it just takes one employee to lack awareness, and the attackers have won. That person who missed the internal security focus day, or skipped the desk-based training, it is they who can provide enough information to trigger an attack that will affect an entire organization.
Improving awareness: Get your organization secured
Our top tips for developing and instilling a security-aware culture are as follows:
Get Executive Commitment: Top-down buy-in is vital to a security-aware culture. When the top levels of management emphasize security awareness, employees are more likely to view security as a business enabler instead of a hindrance to productivity. An executive team that takes the initiative to be informed and involved in security issues, rather than off-loading responsibility to a security team, will encourage a security culture that is collaborative, structured, and ingrained throughout the organization’s processes and people.
Awareness and Education: Most employees cause security problems unintentionally. Accessing unsecured websites, deploying unauthorized wireless access points, or falling victim to social-engineering ploys are everyday employee actions that result in security breaches. The best way to avoid unintentional security problems is to provide all employees with regular security awareness training, using examples of recent attacks in the public domain. This training must inform employees of new threats and refresh their understanding of how to identify and avoid social engineering attacks. An annual focus or occasional email is not an effective approach; organizations must treat security-awareness training as an enduring part of employee training and education from their first day of enrolment. Employees in higher-risk positions for social-engineering attacks, those that have admin-level access or broader cross-functional controls, such as help-desk staff and network administrators, will benefit from additional specialized training.
Measure Your Risk: An ongoing risk assessment that tests the resistance of employees to social-engineering attempts and techniques can help assess the validity of the training program and further raise security awareness. In the same way that retail establishments have mystery shoppers, try and penetrate your systems via your employees to see where the opportunities lie and improvements are needed.
Security Policies and Procedures: Official security policies and procedures take the guesswork out of operations and help employees make the right security decisions. Such policies include the following:
- Password Management: Guidelines such as the number and type of characters that each password must include, how often a password must be changed, and a declaration that employees should not disclose passwords to anyone (even the corporate IT help desk) will help secure information assets further.
- Two-Factor Authentication: Authentication for high-risk network services such as modem pools and VPNs should use two-factor authentication rather than fixed passwords.
- Anti-Virus/Anti-Phishing Defenses: Multiple layers of anti-virus defenses, such as at mail gateways and end-user desktops, can minimize the threat of phishing and other social-engineering attacks.
- Change Management: A documented change-management process is more secure than an ad-hoc process, which is more easily exploited by an attacker who claims to be in a crisis.
- Information Classification: A classification policy should clearly describe what information is considered sensitive and how to label and handle it.
- Document Handling and Destruction: Sensitive documents and media must be securely disposed of and not merely thrown out with the regular office trash. Ensuring your facilities team get the understanding needed to know how critically important this is will help too.
- Physical Security: The organization should have effective physical security controls such as visitor logs, escort requirements, and background checks. Even putting notices on internal doors to remind staff to not allow unknown visitors to access a floor will help overcome these issues. The cost of being polite could be devastating.
Make the change
As we have seen with these high-profile attacks on Twitter users, and we regularly see with ransomware attacks that start with some form of social engineering to gain network access, the security risks of social engineering are significant. Organizations must address them as part of an overall data management strategy that mitigates risk.
The best way to mitigate the risk posed by social-engineering methods is through an organizational change of culture. A whole-hearted commitment to creating an 'always-on' security-aware culture is a necessity, just as much as a firewall. This cultural shift will provide employees with the tools they need to recognize and respond to threats, and support from the executive staff will create an attitude of ownership and accountability that encourages active participation in the security culture. In doing so, these actions will lower your organization’s likelihood of falling victim to future social engineering attacks and keeping your data safe.
Andrew Fitzgerald, sales director for Western Europe and Sub-Saharan Africa, Cohesity