Google the top social engineering attacks. What do you get? Stories about Trojan Horses, Phishing attacks, Malware injections, redirects, spam, and people giving up way too much personal information on public websites. The surface area for social engineering attacks is as big as all the employees and users in your corporation. The best social engineering attack will involve nothing but an unnoticed slip or mistake from one user. I am going address the very specific aspect of internal security and leave you with the following: the most important protection you need in your company, is the ability to say “No”.
Knowing the history of these attacks is useful, but overall it is not going to protect you. The attackers are always ahead of us who are defending our information. A social engineer will always find a new way to do what they do. Someone who wants to target your company is considered an unending well of creativity, and must be treated as such. Keep in mind, technology always changes, but the humans utilizing that technology do not change. You can protect yourself with all the technology you want, but just one human mistake can blow your company’s doors wide open. Humans are the attack surface in which a social engineer strikes!
“The best social engineering attack will involve nothing but an unnoticed slip or mistake from one user.”
Therefore, the problem we have as IT Professionals is keeping age-old human flaws from causing a technological attack. The following is an Omni-present human flaw that I would like to specifically address: I have worked at many financial institutions. At every institution, there is always a slew of executives, managers and the like that want to be treated “special“. They want access to the network on their personal laptop. They want access to the network on their iPad, but also let their kids play with that iPad. They want access when and where they should not have it, and they are in powerful positions that make them very difficult to reason with. They want things that will make their professional lives even easier than we, in IT, struggle to make it. Unfortunately, in IT we are in the habit of saying “Yes”. I have seen Directors and CTOs create special exceptions for other high-ranking users to garner favors and popularity, but also because they are scared for their own position. This is lazy; this is arrogant; this is stupid, but this is most of all, human. We human beings are the system attacked by social engineering, and then we leave ourselves open by falling prey to our insecurities, giving an attacker an invitation to storm our gates. All IT needs to learn how to say is “No” and IT management needs to be strong and stubborn for the good of a company. One of the best ways to protect your company from social engineers is to learn how to say “No”. Keep politics and climbing the office ladder out of IT security!
I know I am addressing a very specific aspect of IT, but one of the best ways to shrink your attack surface is to learn how to say “No”. It takes strong leadership and determination from IT management to keep our protection streamlined. Only after our protection is streamlined can we accurately educate our users and create a secure infrastructure. Every individual exception opens a Pandora’s Box for social engineers to find (or even just stumble upon) and exploit.
By: Alex Markowitz