Don't Sabotage Your Own Security, Train Your Users

I think the first time I saw a phishing email was back in 2000 while I was working on a testing project with Oliver Rist, who is now PCMag's Business Editor. One morning we both received emails with the subject line, "I Love You," which was also the body of the email and there was an attachment. We both knew instantly that the email had to be bogus because, as magazine editors, we knew that nobody loved us. We didn't click on the attachment. We were, in effect, acting as human firewalls. We recognized a bogus email on sight, and we deleted it rather than letting its contents spread into our computers and the rest of the network.

Even back then, attacks like these were called "social engineering" by the hacker set. Today, phishing emails are probably the best-known version of this kind of exploit. They are aimed mainly at snagging security credentials but they're also capable of delivering other kinds of malware, especially ransomware. But it's worth noting that there are other types of social engineering attacks besides phishing, including some where the attack is physical rather than strictly digital.

Humans: Still a Leading Attack Vector

The reason phishing emails are so widely known is because they're so common. By now, it's fair to say that anyone with an email account will have received a phishing email at some point. The email frequently pretends to be from your bank, your credit card company, or some other business you frequent. But phishing emails can also be a threat to your organization as attackers try to use your employees against you. Another early version of this attack came during the golden age of faxing when attackers would simply fax an invoice for services that were never rendered to large companies, in the hopes that busy executives would simply submit them for payment.

Phishing is surprisingly effective. According to a study by law firm BakerHostetler, which looked at 560 data breaches last year, phishing is the leading cause of data security incidents today.

Unfortunately, technology hasn't caught up with phishing attacks. While there are a number of security devices and software packages designed to filter out malicious emails, the bad guys who craft phishing emails are working hard to make sure their attacks slip through the cracks. A study by Cyren shows that email scanning has a failure rate of 10.5 percent in finding malicious emails. Even in a small to midsize business (SMB), that can add up to a lot of emails, and any of those that contain a social engineering attack can be a threat to your organization. And not a general threat as would be the case with most malware that managed to sneak by your endpoint protection measures, but the more sinister kind that's specifically targeted at your most valuable data and digital resources.

I was alerted to the Cyren report during a conversation with Stu Sjouwerman, founder and CEO of KnowBe4, a company that can help human resources (HR) professionals teach security awareness. It was Sjouwerman who brought up the term "human firewall" and who also discussed "human hacking." His suggestion is that organizations can prevent or reduce the effectiveness of social engineering attacks with some consistent training that's done in a way that also engages your staff in solving the problem.

Of course, many organizations have security awareness training sessions. You've probably been in several of those meetings in which old coffee is paired with stale donuts while a contractor hired by HR spends 15 minutes telling you not to fall for phishing emails—without actually telling you what they are or explaining what to do if you think you've found one. Yes, those meetings.

What Sjouwerman suggested works better is to create an interactive training environment in which you have access to actual phishing emails where you can examine them. Perhaps have a group effort in which everyone tries to see the factors that point to phishing emails, such as poor spelling, addresses that almost look real, or requests that, on examination, don't make sense (such as requesting an immediate transfer of corporate funds to an unknown recipient).

Defending Against Social Engineering

But Sjouwerman also pointed out that there's more than one type of social engineering. He offers a set of free tools on the KnowBe4 website that companies can use to help their employees learn. He also suggested the following nine steps that companies can take to fight social engineering attacks.

  • Create a human firewall by training your staff to recognize social engineering attacks when they see them.
  • Conduct frequent, simulated social engineering tests to keep your employees on their toes.
  • Conduct a phishing security test; Knowbe4 has a free one.
  • Be on the lookout for CEO fraud. These are attacks in which the attackers create a spoofed email that appears to be from the CEO or other high-ranking officer, directing actions such as transfers of money on an urgent basis. You can check to see if your domain can be spoofed by using a free tool from KnowBe4.
  • Send simulated phishing emails to your employees and include a link that will alert you if that link is clicked. Keep track of which employees fall for it and focus training on those who fall for it more than once.
  • Be prepared for "vishing," which is a type of voicemail social engineering in which messages are left that try to get action from your employees. Those may appear to be calls from law enforcement, the Internal Revenue Service (IRS), or even Microsoft tech support. Make sure your employees know not to return those calls.
  • Alert your employees to "text phishing" or "SMiShing (SMS phishing)," which is like email phishing but with text messages. In this case, the link may be designed to get sensitive information, such as contact lists, from their mobile phones. They must be trained not to touch links in text messages, even if they appear to be from friends.
  • Universal Serial Bus (USB) attacks are surprisingly effective and they're a reliable way to penetrate air-gapped networks. The way it works is that someone leaves USB memory sticks lying around in restrooms, parking lots, or other places frequented by your employees; maybe the stick have enticing logos or labels on them. When employees find and insert them into a handy computer—and they will if they're not taught otherwise—then the malware on them gets into your network. This is how the Stuxnet malware penetrated the Iranian nuclear program. Knowbe4 has a free tool to test for this, too.
  • The package attack is also surprisingly effective. This is where someone shows up with an armload of boxes (or sometimes pizzas) and asks to be let in so they can be delivered. While you're not looking, they slip a USB device into a nearby computer. Your employees need to be trained by carrying out simulated attacks. You can encourage them by training for this and then sharing the pizzas if they get it right.

As you can see, social engineering can be a real challenge and it can be much more effective than you'd like. The only way to fight it is to actively engage your employees in spotting such attacks and calling them out. Done right, your employees will actually enjoy the process—and maybe they'll get some free pizzas out of it, too.

This article originally appeared on PCMag.com.