As you read in Part 1 of this article, some of the most devastating threats can come from insiders. “Insiders,” as we have defined them, include anyone with access to your physical office space, or electronic access to your network. Too many enterprises have already learned the hard way that security technology alone cannot secure the enterprise. Leaving insiders uninformed about security issues can expose your enterprise to unnecessary risk that could have a direct impact on corporate revenue, workforce productivity and the costs of doing business. Where your IT security solutions stop, security education and awareness training must start to minimize gaps in security. Insiders need to be aware of, and understand information security issues, and behave in a security-conscious manner – and you need to provide the impetus for this awareness.
Social engineering tactics
Social engineering plays upon peoples natural inclination to trust others and desire to help out. Attackers will succeed if they can get your insiders to fall for their tricks, but social engineering tactics will not work if your insiders are informed and aware. Social engineering methods can take a number of different forms. Every method is intended to entice unsuspecting users into helping the attacker out – whether it is by opening attachments that will unleash a virus, or providing the attacker with sensitive information that will help their efforts.
Social engineering attempts can pop up anytime, in a seemingly unthreatening manner, in a normal workday. It is your responsibility to make sure your insiders are aware of the following threats so they will not be easy prey for such attacks:
- Email attachments – If an employee opens unsolicited email attachments or does not scan attached documents for a virus before opening them, then the enterprise is vulnerable to virus attacks. Make sure they are not only educated about viruses, and the danger of opening an unexpected or suspicious-looking attachment, but also the result if a virus is executed. The Anna Kournikova and I Love You viruses are successful examples of social engineering attacks, as the enticing subject lines piqued the recipients curiosity resulted in many people opening up the infected email.
Common methods (continued)
- File sharing – Trust in file sharing is a very exploitable habit that attackers often take advantage of. Many Peer-to-Peer (P2P) programs today contain “spyware”. Spyware allows the author of the program, and other network users, to see what your employee is doing, where they are visiting on the Internet, and even use your employees computers resources without their knowledge. Employees must be informed and responsible downloaders, staying wary of suspicious files that might be infected.
- Instant Messaging (IM) and Internet Relay Chat (IRC) – Employees who use IRC and IM services should know about ploys that might be used to lure them into downloading and executing malicious software that would allow an intruder to use the systems as attack platforms for launching distributed denial-of-service (DDoS) attacks.
- Request for information – Attackers will not always try their tricks over the computer. Sometimes they also try to make contact with your insiders over the phone or in person. An attacker might call an insider and imitate someone in a position of authority or relevance with an urgent need for information, and try to get that information out of the user. Help desk employees often are subjected to social engineering tactics and should be especially aware of this tactic. Employees should be made aware that if anyone asks them for their passwords, or any other sensitive information, to proceed with the greatest amount of caution possible.
Start an “office watch” program
Consider creating an internal office watch program similar to the idea of a neighborhood watch. If you set up an open atmosphere that encourages employees to be aware and report suspicious activity, it will be easier to get a handle of potential problems before they turn into real trouble. Encourage your employees to:
- Report suspicious behavior such as shoulder surfing, or unauthorized people using a PC they shouldnt have access to.
- If they are contacted by anyone seeking unauthorized access to information, report it to a security manager or other authorized personnel.
- Approach a security manager or other designated person with their security concerns rather than discussing it with their co-workers.
Building awareness is key
In addition, you and your security team should always be on the lookout for employees who are not acting in a security conscious manner. If you see a computer left unlocked and unattended in an office, passwords written on sticky notes posted to a monitor, or if you find other sensitive company information left out in the open, make sure you alert your offending employees for their actions. Make sure they understand exactly how their actions may threaten the enterprise.
Building awareness is key
Even if you have security policies in place, your job is not done. The policies must be communicated and understood by everyone.
Here are some things you should be doing to promote security:
- Distribute printed giveaways (pencils, mouse pads, etc.) and put posters and signs on your office walls promoting your security awareness message.
- Require all new employees to go through a security orientation.
- Give them tips on determining what information (on the computer and on paper), is confidential and how to protect it.
- Help them appreciate the value of the information your enterprise holds.
- Make them aware of the risks of social engineering
- Encourage refresher security training for current employees
Consistently and constantly reinforcing everyones personal responsibility and accountability to your enterprise security can go a long way. Enterprises must make security part of every employees job, regardless of the level of access an employee has to the computer network. With everyone on securitys side, there is less room for security lapses in the areas security technology cannot protect.
Many enterprises lack the in-house resources to plan, build, test, implement and measure an effective and comprehensive employee security awareness program. Corporate security awareness programs will motivate and engage your employees by delivering security awareness messages critical to the protection of your organizations valuable data. This program gives everything you will need to implement a comprehensive awareness program within your organization.
Kathy Coe is Director of Education Services for Symantec. She has more than 20 years of experience designing, implementing, and managing customer-focused training solutions for organizations. Over the last six years her business education experience has been focused on the information security industry.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: