By Clayton Gouard, Information Security Consultant
3000 years ago the city of Troy boasted walls that withstood a ten year siege before falling to a wooden horse left outside the gate. In 1779 the British Army’s top secret and professional plot to surrender West Point was foiled when Major John Andre identified himself as a British officer to the wrong personnel. What do these events have in common with current information security practices? They both prove that technology and security practices can be hijacked, destroyed, or bypassed using social engineering techniques that exploit human behavior. Weaknesses that existed then are still seen today and will continue to live on in the future.
There are many contemporary equivalencies of social engineering approaches taken by the sackers of Troy and the captors of Major John Andre. These are the efforts of modern day social engineers that utilize exploits that are inherent in human nature and are not dependent upon technology or security controls. Every second the danger grows with more sophisticated scams.
There are many proactive measures that you can take to help prevent becoming the victim of a social engineering attack. Technology is one obvious solution, but it can be bypassed just like how the Greeks used the Trojan Horse to enter Troy. Security processes are necessary however, they aren’t a singular answer as proved by the British’s plot against West Point. While technical controls and security processes are necessary, user education is imperative. Personnel literate on this subject is the last and sometimes only bulwark you can employ after your technological and procedural protections fail. When that user is faced with a malicious link within a phishing email or a fast-talking social engineer on the phone they must know that there is always a potential of threat and that reliance on our most trusted solutions is not enough.
How do you educate your users to block social engineering attacks that bypass technology and security? First, create awareness. They need to know and keep in mind that there are people who will seek to exploit them and their position within your enterprise. Having this knowledge will increase natural suspicions and empower them to act as a sensor and guardian. Next, you should encourage your users to ask appropriate questions to identify potential social engineering attempts. They should be asking their self, “who is this person asking me to perform this action” and “should I trust them without verifying this request”. These two simple interrogatives can be applied to any of their methods and help eliminate potential security threats.
Not educating your users of social engineering can lead to a devastating breach. For example, in December of 2013 the University of Washington Medicine in Seattle was compromised by a phishing attack that exposed more than 90,000 patient records. A similar attack took place against Baylor Regional Medical Center just a few weeks ago that required notification to nearly 2,000 patients. The antidote for these attacks, past and present, stands and will remain the same. You must educate your users because they are the ultimate protection between your data and a potential breach caused by social engineering.