...you're asking for a perfect defense. This is a recipe for failure.
One bad day and an social engineering attack can succeed where it wouldn't normally.
Education *helps*, but relying on every individual to be perfect every time is stupid. Just as stupid as any other single-layer defense--and that's what you're advocating here.
Since the weak link is *every person in the organization* your attack surface is enormous. If education fails at least once (and it certainly will) what's the second layer?
Seems to me there isn't one...
Believe it or not, the greatest threat to your personal or corporate computing environment is you. You put your personal and collective corporate security at risk every day by just being you. It’s not a particular personality flaw with you as an individual but rather it is your innate human response to other humans. You want to be open, helpful and kind but those attributes are also your security Achilles’ heel. The quote, “A little kindness goes a long way,” is no less true when speaking of computer security. That wee bit of kindness that you show a stranger could put your personal and corporate security at significant risk and could result in very high remedial costs.
The Background
Attackers who want into your network or who want your data will take the path of least resistance to attain their goals. If your systems aren’t patched, they’ll attack and compromise them. If your network security lacks the proper defenses, they’ll trot through that open gate with ease. If your physical security is a joke, the joke will soon be on you, when an attacker can make his way into your offices to drop a USB drive, to grab information from a desk or to have a ‘look see’ on an unlocked computer. Finally, if your people aren’t prepared for social engineering attacks, all your other defenses are useless.
The Problem
From a corporate standpoint, your network security team and system administrators can maintain patches, apply updates and install security software but they can’t fix you. There’s no patch available for your vulnerabilities. Social engineering is the most effective attack mode on any computer system or network. It is 100 percent effective. It also leaves the fewest traces and always involves someone on the inside doing something or saying something that gives an attacker the surface he needs to gain access to systems, data and information.
The Solution
The solution, simply put, is education.
An expanded version of my terse answer can be found in Christopher Hadnagy’s, Social Engineering: The Art of Human Hacking, final chapter.
“Security through education cannot be a simple catch phrase; it has to become a mission statement. Until companies and the people who make up those companies take security personally and seriously, this problem won’t be fixed completely. In the meantime, those who were serious enough to read this book and to have a desire to peer into the dark corners of society can enhance their skills enough to keep their families, selves, and companies a little more secure.
Until companies begin to realize their vulnerability to social engineering attacks, individuals will have to educate themselves about attack methods and stay vigilant, as well as spread the word to others. Only then do we have hope of staying if not one step ahead of an attack, then not too far behind.”
One of the biggest hurdles to overcome is your own self-conceit in thinking that it can’t happen to you. When I interviewed Christopher, I was shocked by the percentage of successful social engineering attacks he’s performed over the years. It’s very disheartening to know that he has a 100 percent success rate at social engineering attacks. That number should alarm you as well.
How do we protect ourselves, when it seems that the situation is hopeless?
It isn’t hopeless but social engineering attacks, as successful as they are, can be made so difficult that an attacker will seek easier prey elsewhere. Your job is to make the attacker’s job very difficult. Learn the paths that your enemy will take to attack you and lower his attack surface.
How can you do this?
It requires a high-level of constant vigilance and perhaps scripted responses to “harmless” questions from strangers. It also requires 100 percent compliance from every employee, including maintenance and housekeeping staff. Education is the key to prevention but you must also have a disaster recovery plan. Knowing how successful social engineering is, you have to construct a recovery plan should you fall victim to an attack.
Unfortunately, good information with which to educate yourself is scarce. Much of what you’ll find is generic information, misleading information, incorrect information or information that will make you more vulnerable to an attack.
Have you ever been the victim of a social engineering attack? What was the outcome? Talk back and let me know.
