What is social engineering? How criminals take advantage of human behavior

That firewall won't mean much if your users are tricked into clicking on a malicious link they think came from a Facebook friend or LinkedIn connection. Here's what you need to know to protect your organization and your users.

1 2 Page 2
Page 2 of 2

Also, nearly all of the experts interviewed agreed that training, and supporting, the staff in their ability to question interactions when the situation doesn’t feel right, and support them in that ability, will go far in lowering social engineering risk. “Train your staff that it's okay to say no,” says Shane MacDougall, principal partner Tactical Intelligence. “We have traditionally taught employees that the customer is always right, and that we want to make sure the customer experience is smooth. Attackers use this to their advantage. Your staff need to know that if a conversation is making them get an uncomfortable feeling, or something feels off, that it's totally fine to terminate the interaction, or refer it to a manager. It's very important to back this up — if an employee annoys a customer over what they perceive as potential security issues, they need to know that you will have their backs,” MacDougall says.

Liberty Mutual’s Blow agrees: “You have to give your employees the freedom to say ‘no’ if they feel something isn’t quite right in a situation,” he says.

Are there any tools to help make this process more effective?

A number of vendors offer tools or services to help conduct social engineering exercises, and/or to build employee awareness via means such as posters and newsletters.

Also worth checking out is social-engineer.org's Social Engineering Toolkit, which is a free download. The toolkit helps automate penetration testing via social engineering, including "spear-phishing attacks", creation of legitimate-looking websites, USB drive-based attacks, and more.

Another good resource is The Social Engineering Framework.

Currently, the best defense against social engineering attacks is user education and layers of technological defenses to better detect and respond to attacks. No one expects any effective dedicated technical defense to social engineering to arise any time soon. Technical defenses will definitely help reduce the occurrence social engineering attacks. Detection of key words in emails or phone calls can be used to weed out potential attacks, but even those technologies will probably be ineffective in stopping skilled social engineers. Also realize that a lot of attacks take place outside of the workplace — striking up a conversation at a bar is an extremely effective way of getting information out of a target; this is where training and awareness can help,” says MacDougall.

1 2 Page 2
Page 2 of 2
SUBSCRIBE! Get the best of CSO delivered to your email inbox.