Social Engineering - a Cornerstone in IT-Security Strategies

Building an effective IT-Security strategy is a multi-layered process that combines technology, processes and people. A good strategy should build the security eco system on people, and it’s a measure of success must be tested and measured by social engineering. Often overlooked but extremely rewarding to those who learn how to benefit from it, an understanding of social engineering is especially beneficial in these times of digitalisation and remote working.

Even before the current pandemic changed the way we worked and how much of our time is spent online, the human elements of our networks were important, yet overlooked, and often called the weakest link. Now, more than ever, we got to realise how important the human assets are, and how much we must rely on them to keep our networks safe. With the right support and awareness, the perceived weakest links could become an incredibly strong one. Through the use of technology, processes and awareness training we are able to measure the effectiveness of the strategies applied.

We could call humans an additional 8th layer of the OSI model; an additional layer of IT communication – from physical cables, to applications – we should add the human element as well. Furthermore, while I think it’s important to start bringing the human element into the realm of our security strategies, I also believe that the human element lies in every layer of the OSI model – they are the ones putting all the cables, hubs and repeaters into our networks. They are also installing and configuring switches and bridges. Humans are the ones architecting services, configuring, deploying , maintaining… humans are the ones ceasing those services. They are also the ones coding, testing and engaging with the web applications.

If on every layer we find a human element, then we need to start treating security holistically, where our users are our assets and treated as part of our threat landscape with their own vulnerabilities that we need to take into consideration and have a better understanding on how to remediate, like with any other asset in our network.

The insider threats, like inadvertent insiders, those inside the company who unwittingly compromise the environment, were reported by IBM X-Force Threat Intelligence Index 2020^[1] to cause over 8.5 billion records to be compromised in 2019, a number that’s more than 200 percent greater than the number of records lost in 2018. This is a statistic that we can’t overlook, making it an imperative addition to your threat landscape. Third of all initial attack vectors happens through a human, but as Ira Winkler, says in his talk, The Human Exploitation Kill Chain^[2], there are at least 10 opportunities to stop a phishing attack and only 2 of them are user related.

Before an email with malicious content reaches a user, our perimeter devices should be configured to filter those emails out – our email servers and email clients should detect, filter, and quarantine phishing emails. Once the email reaches our users and they click on it, they should be warned not to open malicious attachments or be redirected to a malicious site. Our tools should stop malicious programs loading, sending data to outside parties, use DLP, detection of keystroke loggers, etc. Even if all of the above fails, our network tools should detect both successful and unsuccessful attacks, and be able to clean up and report the attempts immediately. Consequently, if all this technology is used and configured properly, when we apply processes around the technology used, then we should also focus on our users – our human assets.

Despite all of this being true when we used to work in an office environment with our work devices connected to professionally secured office networks, in today’s new reality, the threats are even greater as we have been catapulted into further digitalisation, moving our offices to our homes, to unsecured networks, often to personal devices and physical environments that don’t necessarily follow the best recommendations in order to preserve the necessary privacy required by the nature of the work we do.

I strongly believe that anyone who is managing employees should follow a training on insider threats: how to prevent, recognise and remediate them. We must learn how to recognise the signs of inadvertent insiders, the same way as we safekeep our devices, technology and machines. We should also learn how to protect our people, provide them a secure work environment where they can thrive, increase their satisfaction, decrease employee turnover and invest in training new employees as well as preventing the loss of highly skilled ones.

Originally, the Dutch industrialist J.C. Van Marken introduced the term sociale ingenieurs ("social engineers") in an essay in 1894, with the idea that modern employers needed the assistance of specialists in handling the human challenges, just as they needed technical expertise (traditional engineers) to deal with non-human challenges (materials, machines, processes)^[3]. For the purposes of this article, we will focus on social engineering as a means to understand, improve and maintain IT Security strategies.

Social engineering is often perceived as too offensive. We often hear from clients that employees’ awareness on social engineering is hardly ever tested because it’s falsely presumed as a loss of money, only to prove their failure. We’ve experienced first hand from past clients that have shifted their strategies to include social engineering training, how their employees have developed to become the strongest links in their networks through training, testing and a new understanding of how threats could look like. Additionally, we do red teaming exercises and incident simulations to test a client’s ability to defend and respond to targeted attacks. Social engineering exercises are developed as an adversary emulation with a predefined scenario, used to build and support a particular behaviour and provide employees with the skills and understanding necessary to recognise potential intruders. In addition, social engineering engagements will give employees the tools to recognise dubious emails, appearing to be from C-level executive, asking to transfer a large sum of money and help them understand that someone who seems to be calling from the headquarters and asking suspicious questions could be in fact soliciting information.

Contrary to some opinions, good social engineering practice is all about teaching, supporting and building people’s skills. It should not be about scaring people, rather providing them with an additional set of skills for the protection of their company and themselves. I want to celebrate those that raised their voice and asked our social engineering consultant about their identity and followed process of bringing them to the reception or their superior. I strive to make awareness sessions that will not be a same click-through exercise in order to obtain the certificate of passing a security compliance training. I want to challenge employees to try lockpicking themselves, so they can fully understand how easy it is to open cabinets and highlight the importance of not leaving any confidential materials around.

Just as we determine our threat landscape in a normal IT network, we should regularly audit our human networks to determine the scope of our threat landscape and the attack surface reliant on human vulnerabilities. Same as we determine what the crown jewels of our company are, be it research and development, patented sensitive information or a system holding all the money of the company, we need to understand which are our human crown jewels – possibly high value targets as C-level executives or simply those having access to our already defined crown jewels. This information is then used to understand not only the humans, but also see where we should reconfigure our IT networks as well as processes and procedures that need to be strengthen in order to form a secure ecosystem and thus adapting our IT security strategy so that it is perfectly fitted to our needs.

Sources:

Unfortunately, Connecta cannot be held as planned. Sarka Pekarova would have been one of the 80 speakers at the event. An alternative programme is available through Connecta TV, Connecta Doc and Connecta Talk – find out more at www.swisspost.ch/connecta.