Firewalls. Antivirus. Antispam. Web Access Gateways. Intrusion Detection Systems. Encryption. Data Loss Prevention. Et cetera. When it comes to technical controls and countermeasures, we’ve got our stuff together. We’re IT security professionals. It’s what we do.
Still, I have yet to see a technical product capable of preventing our end users from sharing credentials with someone impersonating a help desk employee who needs to verify that user’s username and password.
So what can we do to protect our users from social engineering attacks?
Realize that most people just want to be helpful. That said, the information security team should deploy and maintain a core set of technical controls to protect users from themselves. Start with this checklist:
- OS Patch Management
- Application Patch Management (Adobe, Java, Flash, etc.)
- Host-Based Firewall
- Web Access Gateway
- Egress Filtering in the Firewall
- Appropriate Access Controls (Principle of Least Privilege)
Phishing emails will attempt to lure users into visiting websites hosting malicious content, or perhaps prompting users for their login credentials. By implementing the layered controls outlined in the checklist above, you can significantly reduce the likelihood of a successful exploit.
Most importantly however, EDUCATE YOUR USERS.
Annual security awareness training, combined with recurring reminders (e.g., security emails, newsletters, or posters) can go a long way toward determining whether or not your user opens that email or clicks on that link.
Finally, validate your efforts. Perform social engineering tests throughout the year to gauge the effectiveness of your technical controls and training efforts.