Week 6: Hardening Users Against Social Engineering


Information security professionals invest effort and capital in building robust technical solutions and policies to harden our networks against attacks. However, all of this can be undone if our users aren’t aware of the policies—or fall victim to social engineering and violate the policies to help a “customer.” The 2019 Verizon data breach investigations report found that 33% of breaches included social attacks, illustrating the importance of security awareness at the basic user level.

For example, a recent Princeton study (PDF link) found that telephone company employees regularly violated admittedly lax company authentication policies, which allowed attackers to reassign customer telephone numbers and bypass SMS-based two-factor authentication. This case underscores two problems: first, that telecom policies did not adequately protect customer account information, and second that customer service employees were too focused on what they perceived as their core function, helping customers resolve issues, without understanding the security implications of what they were doing. The former issue is something which can be resolved relatively easily: telecom security personnel can implement stricter authentication policies, and other services can recognize the problems inherent in tying two-factor authentication to SMS. However, training customer service personnel to concentrate on security is a more complex problem.

It is a truism in the information security industry that security should be part of the system design process rather than being added on after the fact. I propose that we go one step further by integrating security-consciousness into the new employee onboarding process. This extends the same principle and will cement the idea that protecting customer information and company systems is a core part of every employee’s duties.

Comments

Post a Comment

Popular posts from this blog

Week 1: What is User-Centered Security?

Information technology professionals are familiar with the cycle: we implement strong security measures, but then receive negative feedback from users due to decreased functionality, additional "hoops" they are required to jump through, et cetera. Sometimes users even use work-arounds which can not only circumvent the new security measure but invalidate other aspects of the system's security. As an example for how well-intentioned security measures can backfire, consider the strong password policies that were the industry standard a few years ago. The requirements for high minimum character count, complexity via required character combinations, and regular changes drove many users to circumvent the password-based security entirely by writing their passwords down either physically or in text files. As a result, current NIST guidance recognizes this vulnerability and no longer recommends evaluating password complexity beyond comparing the user's chosen password again...
Read more

Week 9: Selling Security Education, Training and Awareness Programs to Users

I’ve frequently heard users complain to one another about the relevance, timeliness, or applicability of the training they just completed while on a break after a mandatory organizational SETA session. As cybersecurity professionals, we understand that SETA programs are a vital part of an organization’s information security posture. Verizon’s survey of databreaches shows that years of SETA programs are having an effect, helping make users more resistant to the temptation to click malicious links and more likely to report them during security audits. However, these connections are not as obvious to our users, who see SETA content as competing with work activities more tied to their core business functions. There are a few tricks I’ve found to help users take SETA training more seriously. First, by tying information security to the core organizational mission. If you can demonstrate to your users that the impact of the time spent learning about information security benefits the ...
Read more