The Weakest Link in IT Security

Today, there are a plethora of programs that will safeguard a company’s IT systems, from anti-virus programs to anti-malware packages that will catch and sanitize even the most stubborn infections. So, the question remains — with all these security programs available, why and how do IT attacks succeed on such a large scale?

The truth of the matter is that the weakest link in the IT Security chain is the user and the weapon of choice for cyber-criminals is social engineering. Basically, social engineering is the process of tricking good-intentioned users into giving up confidential information.

Is social engineering a serious matter? You bet it is. InformationWeek Security reports that during the past two years, 48% of large businesses suffered social engineering attacks at least 25 times. These attacks resulted in average per incident losses between $25,000 and $100,000. That’s per incident, not total losses! As you can see, the financial damage to a Small or Medium size company (SMB) can be catastrophic.

Some questions you should ask yourself about your IT Security:

  • Do my employees know what type of information not to divulge to anyone outside of the business? Do they know the implications of their actions should they reveal confidential data?
  • Are my company’s IT systems kept up-to-date so threats can be detected and dealt with?
  • Does my company have a plan in place to deal with a cyber-attack to mitigate damage?

How do socially engineered attacks happen even after installing the latest security IT systems? IT security systems usually focus on perimeter security and are more susceptible to an “attack from within”. That is the hallmark of social engineering. Once the cyber-criminal finds someone within your organization that he or she can manipulate and get that person to perform the requested action, it’s too late — your system has been breached. Some of the common methods used in social engineering attacks are:

  • Phone – here the criminal poses as someone to be trusted to one of your employees. The hacker can impersonate a company executive, help desk support, or even a well-known and trusted vendor. Generally, they’ll try to persuade the employee to divulge system passwords.
  • Dumpster diving – the criminal somehow gains access to where you keep your company’s trash and physically looks through it for documents that reveal confidential information. You would be surprised at the type of information that companies simply throw away.
  • Email – the hacker sends an official-looking email to your employees, asking them to open a document or click on a link. Once the employee acts on the request, the criminals are able to bypass IT security and garner confidential corporate information or introduce destructive malware.
    • Another type of email attack is Phishing, where an employee will receive an official-looking email asking for information, often threatening them with “dire action” if they do not comply.
  • Baiting – this is when the criminal will put malware onto a physical medium such as a thumb drive or CD ROM, sometimes even embossed with the company’s logo, and leave it in a place where one of your employees will find it. Once the unsuspecting but well- intentioned employee inserts that medium into his or her company’s PC, Window’s auto-run feature initiates an executable file and the attack is on!

What can you do to thwart or minimize socially engineered cyber-attacks?

  • Employee Education – get your employees together and explain what type of company information should never be divulged.
    • Explain why IT security is important and why they need to adhere to processes and procedures. The more your employees understand the better chance that they will comply. Here’s a great educational video on Social Engineering and what you can do to protect your company.
    • Instruct employees to not blindly click on links in emails, especially from people they do not know.
      • Be wary of emails even from trusted sources. Not everyone practices safe computing and people frequently send links to websites they have visited or files from dubious sources to their contacts. Also understand that not everyone has up-to-date anti-virus programs. Some don’t have it at all!
      • Do not click on executable files contained in emails. Microsoft Support has a list that you can use as a guide. However, there are other file types that can contain malware, even common PDF files. Keep your software up-to-date to take advantage of the vendor’s latest security updates.
    • Describe the different scenarios in which a socially engineered attack can happen so they are aware of these situations when they occur.
    • Make sure employees understand the importance of passwords, how to create strong ones so they cannot be easily guessed.
      • Encourage the use of Password Managers such as Keepass, rather than keeping a text file on their desktops or even a physical paper log with a list of all of their passwords.
    • Most important, make sure your employees are comfortable to report a cyber-attack to you or your IT, whether it was successful or not. Knowing that an attack occurred will give you a heads up on mitigating damage quickly.
  • Keep all software up-to-date. Companies (i.e. Microsoft, Adobe, etc.) send out frequent updates to close software vulnerabilities. Cyber-criminals specifically seek out companies that have tardy software update practices in order to introduce malware before those updates are eventually initiated. Here is where having your servers and workstations managed by a Managed Services Provider (MSP) can be one of the best investments you can make as an SMB.
  • Protect your systems with quality anti-virus and anti-malware programs. YES, you need both! They are not mutually exclusive.  No one program can catch all infections, especially with the frequency of which new malware is created. While you should not have more than one anti-virus program (i.e. AVAST, AVG, etc.) running on your system since they interfere with each other, you should have a few good quality anti-malware programs on board and use them to regularly scan your systems on a periodic basis even if no infections have been noticed.
    • Some excellent anti-malware programs are: MalwarebytesSpybot Search & Destroy, andEmsisoft.  Caution: If you’re looking for the free editions which are excellent, just make sure you download the correct version. Some of the sites are confusing and you may be downloading a paid version rather than the free one.
  • Create and enforce a sensitive documents process for your company. Confidential and sensitive documents and files should never be kept on individual workstations. They should always be located on the company’s server(s) where they can be better protected against intrusion.
    • Make sure that any pieces of paper bearing company or client information are locked up or shredded after use. Also, ensure you use high-quality shredders that make it impossible for someone to reconstruct the documents. Sounds like secret agent stuff, but it has been done.
  • Make sure your systems are monitored for signs of intrusion so immediate action can be taken when an attack occurs. Talk to your IT department or MSP to ensure this is happening.
  • Have a company-wide plan in place to deal with discovered attacks. For socially engineered attacks your employees are the first line of defense. Make sure that there are mechanisms in place so they can alert management as soon as an attack occurs, whether successful or not. Once alerted, your IT department or MSP needs to take action to make sure that infections are immediately dealt with so system damage is averted or at least minimized. The quicker they are alerted, the better the outcome for your company.

While this article is not exhaustive, it should give you an entry level understanding of social engineering, the kinds of cyber-attacks prominent in today’s business environment, and what to do to prepare your company to avoid attacks or minimize damage after an attack.

The key is education. There are plenty of good IT Security sites on the internet such as Sophos Naked Security and ITSecurity. The more you know, the better prepared you’ll be.