Social Engineering - Christopher Hadnagy [181]
Summary
Security through education is the mantra of this book. Only when you are aware of the dangers that exist, only when you know how the “criminal” thinks, and only when you are ready to look that evil in the eye and embrace it can you truly protect yourself. To that end, the final chapter of this book discusses how to prevent and mitigate social engineering attacks.
Chapter 9
Prevention and Mitigation
The preceding chapters show you all the methods and ways that social engineers trick and scam targets into divulging valuable information. They also describe many of the psychological principles that social engineers use to influence and manipulate people.
Sometimes after I give a speech or security training, people will look very paranoid and scared and say something like, “It just seems there is no hope to even attempt security. How do I do it?”
That is a good question. I promote having a good disaster-recovery plan and incident response plan because nowadays it seems that it is not a matter of “if” you will get hacked, but “when.” You can take precautions to give you at least a fighting chance at security.
Social engineering mitigation is not as easy as ensuring hardware security. With traditional defensive security you can throw money into intrusion detection systems, firewalls, antivirus programs, and other solutions to maintain perimeter security. With social engineering no software systems exist that you can attach to your employees or yourself to remain secure.
In this chapter I present the top six steps I tell my clients they can take to prevent and mitigate social engineering attempts:
Learning to identify social engineering attacks
Creating a personal security awareness program
Creating awareness of the value of the information that is being sought by social engineers
Keeping software updated
Developing scripts
Learning from social engineering audits
These six points all boil down to creating a security awareness culture. Security awareness is not about a 40-, 60-, or 90-minute program once every year. It is about creating a culture or a set of standards that each person is committed to utilizing in his or her entire life. It is not just about work or websites deemed to be “important,” but it is the way one approaches being secure as a whole.
This chapter covers the aforementioned six points and how creating a security awareness culture can be the best defense against a malicious social engineer.
Learning to Identify Social Engineering Attacks
The first stage in social engineering prevention and mitigation is to learn about the attacks. You don’t have to dive so deep into these attacks that you know how to recreate malicious PDFs or create the perfect con. But understanding what happens when you click a malicious PDF and what signs to look for to determine whether someone is trying to trick you can help protect you. You need to understand the threats and how they apply to you.
Here’s an illustration: You value your home and the things in it, but especially the people in your home. You do not wait to have your first fire to figure out how to plan, prevent, and mitigate its danger. Instead you install smoke detectors and plan out an escape route in case of a fire. In addition, you might train your children with the phrase to, “Stop, drop, and roll” if they are on fire. You teach them how to feel the door for heat and to stay low to avoid smoke inhalation. All of these methods are ways to prevent or prepare for a fire before you have a real fire and have to deal with the devastation it brings.
The same principle applies to protecting yourself and your company from social engineering attacks. Do not wait for the attack to occur to learn about how devastating they can be. Don’t think I’m self-serving, but I promote social engineering audits to regularly test your employees