12 October 07
Stealth Attack: Defending Your Business from Social Engineering
As cyber-criminals deploy increasingly sophisticated techniques, even the savviest corporate users are vulnerable to malware spread using social engineering tricks. Here's how to protect your business.
The con is as old as Three-Card Monte, and the Internet has created many new ways for criminals to dupe unsuspecting users into parting with their money or valuable information.
Today, some of the most dangerous cyber-attacks are spread using social engineering tactics, which trick individuals into taking actions that benefit the perpetrator and possibly to their own detriment. Attackers may pretend to be a trusted third party in order to trick users into volunteering sensitive information, launching malicious applications, or compromise their security in some other way. By the time the victim realizes he or she has been duped, the damage is done.
Taking Advantage of Human Nature
Naïve users - children and people who are new to using the Internet - have long been favorite targets of cyber-criminals. Security experts say that as these techniques of trickery become more advanced, attackers will ensnare more savvy users. This trend has direct implications for businesses, particularly if companies' most knowledgeable workers fall victim to these attacks. "Corporate and IT professionals are susceptible to social engineering attacks like anyone else," says Don DeBolt, director of content and research for anti-spyware at CA.
"Any attack that originates from a trusted source is going to be much more potent," says DeBolt. "If someone on your instant-messenger buddy list has been compromised by a malicious application that uses instant messaging, there's no way to tell that the message is coming from your coworker, friend, or the attacker."
It isn't so much the technical sophistication of social engineering attacks, but the fact these criminals take aim at the non-technical weaknesses - and thus difficult to secure - that makes them so dangerous.
"What makes social engineering attacks highly effective is the fact that businesses can implement as much security software as they like and they can apply all possible patches to their systems, and yet if people are using those systems, the systems are vulnerable," says Brian Grayek, Vice President at CA eTrust research and development. "People are the highest vulnerability," he adds.
"Attackers use social engineering methods in very low-tech ways," says Grayek. Attackers often take advantage of existing relationships of trust. An example of a classic social engineering attack is where an attacker telephones employees and pretends to be a help-desk staffer in order to get the employee to volunteer his or her login credentials. Attackers will always choose the path of least resistance. It may be easier to trick someone into giving up their password than to expend the effort to hack it. Another common ruse is to pretend to be someone in a position of authority. They may also focus on the victim's greed (á la Advance Fee Fraud).
Steps for Protection
So how can security professionals arm their businesses against these surreptitious attacks? And what kind of new and even more sophisticated social engineering exploits should IT professionals be looking out for in the future?
Having the appropriate controls in place to protect all IT resources is critical. DeBolt says that companies of all sizes struggle with the fundamental basics of security, including patching systems and hardening systems. Businesses can enforce a great degree of control over their network assets through security solutions, such as firewalls, secure content management, anti-spam and anti-virus software. For instance, the CA Threat Manager for the Enterprise helps IT professionals block the spread of malware through social engineering. CA Internet Security Suite Plus 2008 prevents users from accessing potentially dangerous websites and blocks spam, which may be carrying some of these threats.
"At a minimum, companies should employ host intrusion prevention systems to implement policies that ban unsafe applications and configurations that could leave users more exposed to social engineering threats," Grayek advises.
"Companies should also use the principle of least privilege to ensure that users are only given the privileges that are required to perform their role and nothing more," he adds.
Defending the enterprise against socially engineered attacks gets more difficult when the workers have mobile devices. DeBolt urges companies to deploy controls on laptops and PDAs to make sure the same level of security that protects computers inside the corporate walls applies no matter where the users go.
Education is a crucial line of defense against social engineering. IT professionals need to keep current and emerging malware trends and social engineering techniques. Security basics like periodic notifications to remind employees of the common techniques cyber-criminals use in these attacks can go a long way toward heading off damage. DeBolt says employees should be reminded to not allow children to use corporate assets because minors are a prime target for adware manufacturers.
Defending against today's attacks is difficult. The attack landscape is vast and a network has many points of entry. DeBolt advises that companies should go back to the fundamentals of security. This starts with understanding where their potential vulnerabilities lie and then taking steps to limit their exposure. Only then can a company even begin to mount an adequate defense against a range of threats including social engineering attacks.