In a typical social engineering engagement, a threat actor uses social skills and takes advantage of human error to obtain or compromise an organization’s assets.
In our previous blog, we offered a framework for running your own social engineering exercises. To help your organization stay prepared, we’ve outlined how countermeasures can round out your organization’s social engineering policy and protect against social engineering schemes.Countermeasures against social engineering attacks focus on eliminating human error. Types of countermeasures can be divided into three categories:
Policy and procedures
Policy and Procedures
Having the right policies, protocols, and procedures in place ensures that employees are prepared for potentially vulnerable situations. It’s human nature to feel bad for saying “no”. But if there are clear procedures in place when a situation starts to deviate from the established norms, your employee will be more confident to say “no” and stick to company procedures during (what could be) a threatening situation.
Consider this list of policies as a starting point for addressing the threat of social engineering against your company:
Internet usage: Covers acceptable usage of the Internet. For example, only work-related usage may be permitted. This may prevent employees from falling victim to phishing emails that are unrelated to work.
Software policy: Describes what software is acceptable and who has the rights to install and/or update software. Consider giving only a few people the right to install software on computers. This may prevent a vishing attack by a social engineer who asks a victim to install specific software on their computer.
Hardware policy: Describes the hardware that should be used and the acceptable usage. For example, USB sticks may be forbidden. This may prevent employees from inserting malicious USB sticks they found in the company parking lot into their work computer.
Separation of duties: Draws out everyone's responsibilities and access levels. If an employee falls victim to a social engineering attack, this may clearly limit the security compromise to what they can access and do on the company systems.
Password policy: Gives clear instructions on creating new passwords (length, characters, other characteristics), handling passwords (e.g., not sharing them with other people or reusing them), resetting passwords, etc. For example, if the policy is never to reveal your password to anyone, this may prevent some employees from revealing their password during a vishing attack where social engineering impersonates the IT personnel.
Physical access policy: Describes the physical access policies, such as having an identification badge on you at all times, not allowing people to tailgate you through secure doors, verifying the identity of all guests, and making sure they are chaperoned.
With threat actors constantly developing their tactics, your team needs to be trained to recognize attacks or, at the very least, situations that deviate from standard operations.
Over time, learned skills may be forgotten. Regardless, the techniques and tactics of our adversaries continue to evolve. Regular and timely training for every member of your team could not be more important.
A holistic training plan should include general security awareness training, regular simulated phishing tests, and full-on social engineering engagements. Employee awareness of information and asset sensitivity and classification is also important. If dealing with highly critical information, your team should be aware that they need to be more skeptical when handling it than when handling assets of lower importance.
Technical countermeasures are designed to prevent the situation from escalating. The goal is to stop threat actors before they have any opportunity to take advantage of human nature in the first place. There are multiple options here, including waste management that safely discards any sensitive information, safe physical access systems (doors, gates, etc.), sophisticated entry cards, person verification, accompanying any guests, etc.
Any countermeasure that you’ve implemented should be assessed for its effectiveness. Are the policies in place still relevant? Has their scope changed with the natural changes in business objectives?
Such reviews can be conducted internally or in cooperation with an outside partner. They can also be conducted passively or actively. Passive review means just assessing the attack surface on a theoretical level. An active review includes actively trying to compromise the confidentiality, integrity, and/or availability of information.
The most important piece of any organization’s security plan is its team. As you consider how you’ll keep your organization protected from cybersecurity threats, try communicating with your team in a way that promotes their buy-in to the company’s overall security culture.
The RangeForce platform hosts 700+ cybersecurity training modules to help keep your team prepared. Customers around the world are using our platform to cross-train throughout their companies to build security literacy across functions. Request a demo now.
Join the RangeForce Community Edition to train in an on-demand cyber range.