07 Jan 2019
Published in: Blog
Social Engineering – A Battle of Wits? Blog Written By Ericom Software
Chances are that most of the people you know are good, trustworthy people. You might not want to do coffee with grouchy Tim from accounting, but you could probably count on him not to walk off with any of your belongings if he passed by your office and noticed something you left lying around.
To the adept social engineer, the fact that most people are trusting and helpful is a blessing. It’s what allows them to take advantage of, and blindside, just about anyone — from receptionists to C-level executives. And it’s how they infiltrate even the most secured networks and weasel information out of the most guarded systems with ease: by enlisting the help of one or two unwitting assistants on the company’s payroll.
We humans are far easier to manipulate than a properly configured firewall or a comprehensive endpoint protection tool set. Think about it — it takes less time to dupe someone into handing over his or her passwords (often just a matter of a conversation or two, in which trust is built and then exploited) than it does to brute force attack a 10 digit password (in case you were wondering, that takes 4 months).
Employee Awareness Training is the Key — Or is it?
To try to compensate for the human factor, companies turn to employee security awareness training programs. The idea behind these programs is to get employees to the point where they can spot a bogus email or out-of-place miscreant a mile away. With this heightened awareness, companies hope to prevent social engineering from getting the best of their employees and their data.
Education is fantastic; any attempts to raise employee awareness should be duly lauded. Security awareness training can greatly reduce the success rate of attacks commonly associated with data breaches like phishing. Now your employees know better than to fall for the“Windows Tech Support” scam and they probably also realize that poorly worded emails proclaiming that they have won Google’s/Microsoft’s/Apple’s grand prize are bunk and should be deleted and reported.
Human Error Will Always be a “Thing”
Here is the problem; Education can only go so far when the enemy is human ingenuity. Attackers are always on the lookout for new ways to con and breach, both on the human and machine level. So while your employees know to steer clear of some of the more obvious phony emails, they may not suspect that the resume that just landed in your HR inbox is actually just a malware-laced attachment. It probably took the attacker just a few minutes to scrape the relevant email address and an actual job opening off your Careers page, and use that information to craft a highly plausible spear-phishing email. In fact, in the last few years more than a few organizations have been duped by attackers who leveraged this technique to breach the corporate network.
Employee education wouldn’t have prevented a diligent HR person from opening that attachment - by opening it, they were simply doing their job. Moreover, even if employees are doing significantly better than they were before, a single slip up is all it takes to open the door to infiltrators. When it comes to protecting your network, you need as close to a zero margin of error as possible - anything less isn’t actually protecting your network.
Education + Browser Isolation
The truth is that no matter how much training you provide, people will always make errors. Maybe it will be the new guy, who wasn't around for the last awareness seminar, or maybe it’s an overly eager marketing associate looking for new leads — whatever the case, people will always be vulnerable to social engineering. This is why it’s critical to minimize the degree to which security relies on users' imperfect decision-making capacity.
Technologies that employ a zero-trust security model, such as Remote Browser Isolation, are key to ensuring that even when users make an all-too human lapse in judgment and click on the “wrong” links, your networks remain uncompromised.
A select group of leading cyber businesses and organisations from the Midlands and Maryland USA met yesterday evening (5 June) to build on cyber trade and investment opportunities in their respective...
A delegation of over 10 representatives from cyber technology businesses from Israel visited Worcestershire as part of an inward investment mission.
Being part of Midlands Cyber has given us valuable connections within the Cyber community both in the UK and US, giving us valuable knowledge and connections to applications that we have utilised within our range of software products and services to our clients. It has also given us a platform to promote our business to the global stage.Jennifer Long IceBlue
“Midlands Cyber is an ideal platform to collaborate with like-minded industry peers, share knowledge and raise awareness of our expertise within a network of regional businesses.”Air-It
“Our location in the Midlands gives us reach to most of the UK in 2-3 hours by road/rail. This has allowed our business to remain and expand in one location, without having to establish satellite offices. The location also gives us easy access to Birmingham and Heathrow airports, which allows us to travel internationally to many global destinations.”
“The Midlands is an important region for the majority of our target customer verticals that are relevant for us including Connected & Automated Vehicles, connected transport, Industry 4.0”
“Midlands Cyber has provided support to Data Solver as a start-up company; increasing our visibility and helping us to promote the solutions we offer. With the backing of Midlands Cyber, we will have the opportunity to network with other local exhibitors, whilst also making contact with potential new customers and partners visiting the team within the Midlands Cyber Engine Pavilion.”
“Being part of Midlands Cyber is extremely advantageous. As a region the Midlands is ideally placed to become the main centre of excellence for UK businesses and Academia within the Cyber space.”