Page 37 - Cyber Warnings
P. 37
Quid Pro Quo engagements offer an exchange of goods or services for information. Recent
attacks include fraudulent Microsoft service desk tech impersonators who cold-call users
offering to walk a victim through the process of removing phantom malware. These attacks can
end up with the social engineers having access to a victim’s computer and personal information
or put them in a position where they can lock and encrypt the victim’s information in order to
ransom it for cash.
Baiting, like phishing, is based on a promise or likelihood of reward for cooperation. This type of
SE is most common among freeware offers that entice users to enter personal information like
name, addresses, emails, credit card numbers or banking information in exchange for free
product.
The prevalence of social engineering attacks suggest that not only are the social engineers
becoming more devious and improving their toolbox, but the human factor or "human firewall" is
a continuous inherent weakness of a victim’s inability to distinguish between bona fide requests
and malicious communications . That being said, the obvious solution is knowledge.
Taking Action
Mitigation of the social engineering risk can best be done through awareness and training,
focusing on the people and the processes. Companies should invest in training to make users
aware of the potential threat (techniques, ploys and pitfalls) and educate them about how to
deal with SE situations. Awareness and training combined with metrics help determine how
close a company is to meeting its educational goal.
Employees who fail the tests or show elevated SE risk based on metrics should be retrained.
Unfortunately, even though training, measurement and follow up are proven effective, they are
not widely used. The Enterprise Management Association discovered that 56% of personnel
had no SE training of any kind.
Personnel need clear boundaries established by guidance, policies and standard operating
procedures from their employers. Thor Olavsrud, IT author and senior writer for CIO magazine,
recommends some basic measures. These measures include education on the latest
hacks/techniques, awareness of how important the information being released is and knowing
which information is the most prized to bad actors. If there is data that can be monetized, it is
valuable and worth a social engineering attempt to procure. Proper education and verification
for employees will make them aware of the techniques used against them and train them to
challenge would be impersonators.
Personnel need to change their paradigm about information. Information should be protected
like the valuable resource that it is. Additionally, there should be no punitive measures against
victims. Punitive measures create an atmosphere where employees will not share incidents and
will, in fact, hide potential breaches for fear of employer retaliation.
Lastly, a “need to know” mindset is important for employees to implement. Asking “does this
person need to know?” when fielding unsolicited requests is vital to avoiding SE losses. Most of
37 Cyber Warnings E-Magazine – May 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
