Michael Heller at TechTarget wrote a good longish article where he concluded: "As more personal and corporate information is shared on the Web, social engineering techniques and attacks are becoming increasingly sophisticated, forcing enterprises to adopt new awareness training methods to protect employees."
I'm giving you a short summary and you can read the whole thing here. When looking at enterprise security, social engineering (SE) is often convincing a company employee to click a malicious link or open a malware-infected file, and the transmission method of these attacks is most often through email. SE is often a major component of IT's longstanding battle with phishing schemes. It's also an element in the resurgence of macro viruses, which are caused by SE messages that convince employees to override security settings designed to prevent macros from running.
According to Cody Pierce, director of vulnerability for Arlington, Va.-based security research firm Endgame: "Without the social engineering aspect, it's harder to get past the point where you need user interaction for the exploit," Pierce said. "For macro viruses and such, there will be warnings, so you need social engineering to get users past that point."
A Social Engineering Renaissance
Pierce and other experts said that these types of attacks are getting more difficult to stop because of the wealth of information made publicly available on the Web via social media. That information can be used to craft much more convincing and targeted attacks, which had led to something of a renaissance for SE
"Twitter will tell you what app is used to post, which leads to what platform is used. LinkedIn connects to work contacts, and Facebook has everyone," said Pierce. "Phishing will continue to stay popular as long as we're all connecting over the Internet and easy to talk to or build a relationship with, because someone will take advantage of that situation."
According to Randy Trzeciak, technical manager at Carnegie Mellon University's CERT Insider Threat Center, outsiders will often use social media sites like Facebook, LinkedIn and Twitter to gather information and piece it together to look like an employee is receiving a message from someone they trust.
"I do believe [attacks] are getting more realistic looking in terms of impersonating someone in the organization," Trzeciak said. "With the amount of information publicly available on an organization's employees, outsiders are more able to craft a message that looks authentic."
Security Awareness Training Needs To Catch Up
As SE techniques get more sophisticated and attacks appear more like authentic messages, experts say that training methods need to evolve as well. Baker said that the trick to educating employees has always been to make people suspicious of these requests, but that is getting more difficult because it often isn't enough to simply have users keep an eye out for improper use of language or odd typos.
Experts all agreed that traditional training sessions that happen infrequently is not enough. Trzeciak said that training needed to be done in levels, beginning with teaching employees to look out for misspellings and improper use of language. The next level includes making some employees aware when they are at more of a risk to be targeted, including those with access to financial information and other sensitive data. Lastly, employees should be made aware of sharing habits on social networks, and to be especially careful of potentially fraudulent friend requests, which could ultimately negate any controls put in place to limit access to information.
A number of experts also advocated the use of more real-time training, which would include simulated internal phishing campaigns, sending text messages or social messages to employees trying to catch those who lapse.
We could not agree more. Find out how affordable this is for your organization today.
