More Related Content More from FitCEO, Inc. (FCI) More from FitCEO, Inc. (FCI) (20) Strengthening the Weakest Link 151210_2225opt1. Restricting
Authenticating
Tracking
User Access?
12100 Sunrise Valley Dr. Suite 290-1 Reston, VA 20191
Cybercriminals have a staggering variety of ways to get to your company’s systems and
sensitive data, and social engineering attacks number among their most successful.
Social engineering is the technique of manipulating people into violating security proce-
dures by either disclosing sensitive information, or otherwise breaking with security
protocol. Outside of the cyber-security context, social engineering is innocent enough:
many of us use it when we want something from friends or family, to influence people
to our way of thinking, or for other harmless purposes. Cyber-criminals use social
engineering for nefarious reasons.
Significant improvements in security technology have made it difficult for cybercrimi-
nals to steal sensitive data by penetrating computer systems. Social engineering relies on
momentary weaknesses in people, and it’s easier to deceive someone than it is to hack
into systems. Protecting your company from social engineering attacks requires dedica-
tion to a training program that addresses your entire workforce and includes social
engineering exercises as a test of the training program’s success.
This paper covers several important elements to include in your workforce cybersecurity
training program. At minimum, train your workforce to identify the following four
attack methods to reduce your vulnerability to social engineering attacks:
1. Phishing – The cybercriminal sends fake emails that appear legitimate to the work-
force community. The emails typically include malicious attachments or links, or request
that the user send back sensitive information. Some examples can be found here:
http://www.it.cornell.edu/security/phishbowl.ctm
2. Pretexting – The cybercriminal calls an employee with a believable story (often imper-
sonating a C-level officer, an IT person, or similar trusted role in your company), and
asks the employee to disclose sensitive information over the phone.
3. Media Dropping – The cybercriminal puts malicious files on a USB drive and leaves
them in high-traffic areas (coffee area, cafeteria, break room, printer room, parking lot,
and so forth.). Once an employee inserts the USB drive into the company connected
computer, the system is infected with malware that enables the cybercriminal to take
control of the employee’s computer.
4. Physical access to sensitive areas – The cybercriminal parks in your company’s park-
ing lot and observes the area for weak physical controls. The cybercriminal uses the
weak physical controls to gain access to sensitive areas, and then either steals computer
systems, or connects to the network to access your systems and steal sensitive data.
Strengthening the Weakest Link
Reducing Risks from Social Engineering Attacks
2. COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS
Covering the essential information in your cybersecurity training is one thing, but employee
retention of the training content is key. Here are some tips for increasing the chances of informa-
tion retention:
1. Make it personal – One example of personalizing your cybersecurity training is to incorporate how
workforce members can protect themselves both at work and at home. For instance, one of VIMRO’s
training sessions includes a checklist for protecting yourself from identity theft (appended to this docu-
ment as Attachment A).
2. Incorporate humor – Humor makes the information you disseminate more entertaining and enjoyable
for the attendees. VIMRO often shows cartoons or funny videos that are relevant to the essential message,
and more likely to hold your employees’ attention.
3. Tell real-world stories – People are more likely to remember something if it actually happened, especial-
ly if it happened within your organization. VIMRO usually incorporates lessons learned first-hand and
recounts stories of successful and unsuccessful attempts to social engineer access to your company’s
network from your company’s last social engineering exercises. For instance, Attachment B lists some data
elements that a cybercriminal can learn about a person and their company. Most people do not recognize
how much information is available about them and where they work. Learning the publically available
information beforehand makes it easier for a criminal to deceive an individual or the individual’s co-work-
ers, friends, and family. Examples of how a criminal can use this information include:
a. Fraudulent wire transfers
b. Impersonating the target victim to obtain their bank account information, passwords, social secu-
rity numbers, and other Personally Identifiable Information (PII) from other victims who are
associated with the primary target
c. Identity theft of either the primary victim or people associated with the primary victim
Conduct social engineering exercises at least annually to ensure that your training is effective. An
example of VIMRO’s training methodology includes:
1. Social Engineering Phishing Exercise:
a. Recreate a client’s website, so that workforce members log into it believing that it is an actual
client’s site. The fake website captures account and password information from anyone deceived
into logging into the system.
b. Send a fake email to workforce members. The email attempts to influence them to log into a fake
site using their network account and password.
c. Analyze the results and write a report on the exercise.
2. Social Engineering Pretexting Exercise:
a. Call users impersonating a trusted source.
b. During the call, attempt to obtain user’s account and password.
c. Analyze the results of the exercise and write the report.
Strengthening the Weakest Link
Reducing Risks from Social Engineering Attacks
(800) 272 0019
Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL
Conduct social engineering
exercises at least annually
to ensure that your
training is effective.
3. COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS
3. Physical Security Penetration/Walkthrough Exercise:
a. Attempt to gain unauthorized access to conference rooms or other work areas.
b. Attempt to access the network from a work area that has network access.
c. Once on the network, try to find and access weak systems by conducting
vulnerability scans and other penetration testing methods.
d. Conduct walk-through of work areas in search of sensitive information on
desks (unattended logged-on workstations, papers with sensitive information left
in plain sight, and so forth.)
e. Leave USB drives with harmless files on them in public areas (parking lots,
bathrooms, conference rooms, lunch/break rooms, and so forth.). The USB
drives report into VIMRO’s secured and monitored systems if anyone plugs them
into a network-connected computer.
f. Leave an envelope addressed to a specific individual or department from a
publically known entity with whom they do business. The envelope contains a
note and a CD/USB drive with harmless files on it. The CD/USB drive reports
into VIMRO’s secured and monitored systems if someone plugs it into a
network-connected computer.
g. Analyze the results of the exercise and write the report.
Conducting the above training decreases your workforce’s vulnerability to social
engineering attacks, and reduces your company’s risk of breaches to sensitive
systems and data.
You can use the outcomes of these above exercises determine the:
• Effectiveness of your existing security program as it relates to human processes and
procedures
• Extent of your workforce members’ training as it relates to information handling and
disclosure
• Capability of your workforce members to report incidents to management
• Capability of management to respond to incidents reported by workforce members
• Capability of your personnel to identify and mitigate social engineering attempts
Contact VIMRO for more information about how we have helped organizations
create, enhance, and maintain their workforce cybersecurity-training programs.
Strengthening the Weakest Link
Reducing Risks from Social Engineering Attacks
(800) 272 0019
Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL
Authored by VIMRO’s Cybersecurity Leaders
4. COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS
Attachment A
• Get a free credit report using only one of these vendors every 4 months – TransUnion,
Equifax, Experian: https://www.annualcreditreport.com/index.action
• Create a Google Alert for your name so that you will be alerted when a new address is
associated with your name
• Conduct a search on your name once every four months:
o http://www.whitepages.com/
o https://pipl.com/
o http://www.peekyou.com/
o https://www.facebook.com
o http://www.intelius.com/
o http://www.zoominfo.com/
• Opt out of preapproved credit: https://www.optoutprescreen.com/?rf=t
• Apply a credit freeze: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs
• More tips: https://www.consumer.ftc.gov/topics/identity-theft
• If you do not want to do it yourself, consider one of these Identity Theft Protection
Service Providers: http://identity-theft-protection-services-review.toptenreviews.com/
Clues That Someone Has Stolen Your Information
• You see withdrawals from your bank account that you can’t explain.
• You don’t get your bills or other mail.
• Merchants refuse your checks.
• Debt collectors call you about debts that aren’t yours.
• You find unfamiliar accounts or charges on your credit report.
• Medical providers bill you for services you didn’t use.
• Your health plan rejects your legitimate medical claim because the records show you’ve
reached your benefits limit.
• A health plan won’t cover you because your medical records show a condition you
don’t have.
• The IRS notifies you that more than one tax return was filed in your name, or that you
have income from an employer you don’t work for.
• You get notice that your information was compromised by a data breach at a company
where you do business or have an account.
Strengthening the Weakest Link
Reducing Risks from Social Engineering Attacks
(800) 272 0019
Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL
Identity
Theft
Protection
Checklist
Authored by VIMRO’s Cybersecurity Leaders
5. COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS
Attachment B
An Example of Internet Intelligence on a Person
After the simple task of learning a company technolo-
gy executive's name, we searched publicly available
information. Within thirty minutes, we obtained his
full date of birth, his last four home addresses, six
phone numbers for him, and nine current and previ-
ous email addresses. We also learned his present home
address, when his home was purchased, how much he
paid for it, and the names of its additional occupants.
He is currently employed by a private, family-run,
half-billion-dollar corporation. We identified its CEO,
CFO, and several relatives of its original owner. We
obtained the birthdate of each of the aforementioned,
their present residences, their interests, and hobbies.
After cross-referencing social media, we concluded
that the family executives of the corporation take an
annual vacation abroad at the same time every year.
Had we been fueled by malicious intent, we could
have easily found deeper details, as well as additional
information for socially engineering even more targets.
And, if we had nefarious purposes (such as monetary
gain or disruption of business for other reasons), we
could have leveraged all this information to attack the
organization and its employees.
Strengthening the Weakest Link
Reducing Risks from Social Engineering Attacks
(800) 272 0019
Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL