by Rene Cardona, Solutions Architect, VectorUSA
The ever-present threat of social engineering is one of today’s most overlooked cybersecurity concerns.
Previously, we examined why social engineering is posing such a cybersecurity challenge to organizations of all types. While the need for protection from social engineering is well understood, how to address its inherent problems isn’t.
Four key problem areas clearly stand out in every organization that’s trying to mitigate these threats. They include:
Just like network protection as a whole is never finished, concerted and ongoing end user cybersecurity training must be treated as an important ongoing activity. In fact, ever-present end user training is a critical component of your entire cybersecurity plan if you expect to mitigate threats employing social engineering. Cyber criminals never rest and neither can you.
One cybersecurity solution is to clearly identify what’s appropriate for end users to post and not to post online. In addition, they need to understand that it’s not an option, but an obligation to change their passwords on a regular basis, ideally every 90 days. Ongoing training is the only way to keep such concerns front and center in increasingly vulnerable environments.
“One cybersecurity solution is to clearly identify what’s appropriate for end users to post and not to post online.”
– Rene Cardona, Solutions Architect, VectorUSA
Lack of concern, carelessness or sheer convenience often eclipse common sense when it comes to passwords, passcodes or passphrases.
Bad Practices: Using easily identifiable passwords such as a birthday or a pet’s name are open doors to network access. Hackers can easily identify such passwords simply through scouring social media profiles. Perhaps worse yet are end user’s own names, phone numbers or sequenced numbers like 12345, 54321 or all of the same numbers, like 88888, just so passwords are easy to remember.
Good Practices: While harder to remember, a complex password is better. Passwords with a combination of uppercase/lowercase letters, numbers and symbols are the hardest to break. Fortunately, users can securely maintain complex passwords in a database using a password manager or key store so that they’re not forgotten.
Best Practices: Implementing stateful firewalls as well as two-factor authentication (2FA) that resides on top of an offloading SSL VPN, usernames and current passwords are two of the most effective cybersecurity solutions. Pre-shared keys are not a good option because they’re easy to break. Instead, 2FA involves a token or some kind of cache algorithm that the end user needs to select. SSL offloading ensures the firewall will tell end users beforehand that they should avoid accessing a malicious site.
Understanding what an authentic email looks like versus a spoof email (sent from an illegitimate source forging the sender’s address) is a critical part of mitigating social engineering threats.
For example, an end user might receive an email asking the recipient to check on a specific invoice. However, the message contains an attachment that when opened delivers a damaging payload.
Educating end users about how to tell the difference between authentic emails and illegitimate emails is very important. 60 percent of successful cyber attacks occur due to emails that weren’t identified as malicious by the end user.
“Educating end users about how to tell the difference between authentic emails and illegitimate emails is very important.”
– Rene Cardona, Solutions Architect, VectorUSA
For example, a clear red flag rears up when an end user receives a suspicious email from what appears to be an internal sender using @gmail.com in their address. However, the company’s internal email address structure doesn’t use @gmail.com.
Unfortunately, email spoofing is getting more complex using what’s known as an SMTP relay. In addition, senders can spoof actual email addresses using @companyname.com. Even though the email address looks real, it might not be. That makes educating end users more challenging.
End users must be educated to question themselves: “Am I expecting an invoice from this customer?” “Am I expecting a message from this sender?” or “Does our CEO email me regularly?” Awareness is key so that end users can determine an email’s authenticity.
Network penetration via landline or cell phones is actually quite simple. Someone can easily impersonate a company or organization end user and place a call to have his password reset. If the company or organization doesn’t have a standard operating procedure (SOP) for password resets, they’ll just forward the call to their IT help desk. Frequently, the caller will receive a password reset without much effort. Mitigating such risks via phone can be as basic as implementing a SOP that states no password reset requests will occur via a company’s public access phone numbers.
In addition to offloading SSL and stateful firewalls, there are two NAC (network access control) appliances that are critical to network penetration protection: Cisco Identity Services Engine (ISE) and Aruba ClearPass.
Both solutions identify abnormal patterns and provide analytics regarding attack detection and penetration threats. Cisco ISE and Aruba ClearPass, working in tandem with offloading SSL and stateful firewalls, are key to keeping end users off of malicious sites which will, in turn, protect an organization’s network.
NAC appliances also provide Remote Authentication Dial-In User Service (RADIUS) that encrypts all usernames and passwords when they’re sent over the network so that an end user’s access to the environment is properly authenticated. Most of the time, unfortunately, companies and organizations don’t encrypt their username and password transport. This is especially the case with the healthcare industry.
Healthcare is one of the most vulnerable industries today due to the number of cyber attack statistics and internal IT staffs’ lack of cybersecurity knowledge. Publicly funded institutions and community hospitals who may lack the proper IT resources are at highest risk.
Following is an example of a large healthcare provider whose network was vulnerable. Not only was it a high security threat but also a risk of HIPAA non-compliance.
Information and data routing without a firewall, as well as servers and users talking freely while guests had easy access to the entire network, were inviting disaster. Amazingly, the guest environment was able to talk to the servers which hosted all of the provider’s patient data.
That meant someone in the parking lot connected to the guest wireless network — while using common brute force attacks or reconnaissance — could obtain access to servers containing medical records including patients’ private healthcare information, thus compromising the healthcare provider’s internal infrastructure.
To solve these issues, the healthcare provider’s environment was first completely rearchitected HIPAA compliant. VectorUSA then set up a cluster of Palo Alto Networks firewalls to completely isolate the server traffic from the user traffic.
The firewalls started monitoring and identifying which servers were talking to client networks that they shouldn’t be talking to. The Palo Alto Networks firewalls were able to provide a list of servers that weren’t compliant and also prone to a ransomware attack.
This then helped the healthcare provider’s CTO identify what was infected in his network. As soon as his environment was isolated, he was provided a precise list of vulnerable devices and was able to act quickly upon those findings.
Social engineering will be an ongoing cybersecurity threat. Fortunately, there are several approaches you can take now avoid such threats before they become a serious problem. Ongoing end user training, enhanced password management, effective email authentication, proper phone use procedures, along with the right network platform security tools, work together to prevent unnecessary social engineering cybersecurity risks now and into the future.