In the first part of this two-part blog series, we touched on understanding your security posture, training your employees, and gaining knowledge of policies and procedures. This month let’s take a look at building out a vulnerability management program and putting a defensive strategy in place.
Vulnerability Management Program
The fact that you are reading this indicates that you likely have some experience around information security and network security. Based on that, you have also likely seen common network vulnerability management programs. Those programs include important topics like staying current on asset inventory, frequent testing and scanning, and a reliable patch management program. When it comes to keeping your employees secure, the same ideas apply.
Asset Management
First let’s be clear, employees are not “assets”, but we do need to be aware of how employees interact with the world. Are they required to respond to email? Are they required to click links or open attachments? Do they take phone calls? By nature, people want to be helpful. That is exactly what a malicious actor is looking to take advantage of. Employees want to do the right thing, but they also want to perform their job and meet their goals. It’s important that you find ways for these to match.
After you know which employees are responsible for which interactions, create specific guidelines and policies for them. For example, do they need to download files? If so, ensure they use a computer with very limited network access and no other sensitive data on it. Educate employees on the risk of running macros or enabling any other executable code. This is in addition to other network protections that should already be in place.
If employees answer phones to provide customer assistance, make them aware of information they should not share. The questions may seem innocuous, like “What kind of computer do you use? Is it Windows?” or a fellow employee asking for the name of the WiFi. Be sure your employees know how to properly verify all callers and be supportive when they terminate calls that cannot be verified.
Frequent Testing
Once you are aware of which employees face which potential threats, and you have provided training, it’s time to see what they’ve learned. At Social-Engineer, we encourage a positive testing environment. When we perform phishing engagements, we often let people know immediately that it was a phishing test and point out the various clues that should be detected in a phish. We also have the IVES™ (Instant Vishing Education Service) option for our vishing engagements. If an employee reveals sensitive information during a phone call, they are immediately notified that it was a vishing test and given suggestions on what to look for.
Patch Management
Conducting these types of tests frequently allows you to get a picture of where your company’s vulnerabilities are. Now from this point, you can address the vulnerabilities directly. If there are specific groups or departments that are faring on the lower end of the scale, that’s where you can best direct resources for training.
One group that we very often see struggling with testing is new employees. They’ll even say the magic words that social engineers love to hear “I’m new here, so I’m not sure what to do.” When a social engineer hears that, they’ll be very supportive and encouraging to the employee, all while trying to extract as much information as they can. If new employees consistently have the lowest success rates, that is an indication that they may need more training during onboarding. There is a lot of information for newly hired employees, and information security needs to be an important part of that.
If your support desk is being targeted with phone calls, help them to understand the scope of issues that they can assist with. If they assist the general public, instruct them to stick to the product issues that people are calling about and don’t reveal any company or personal information. When an internal employee calls, ensure they follow a proper validation process. This can be as simple as a one-time password (OTP) that is only available internally. When the caller cannot be validated, terminate the call.
Reporting
Reporting is one area of the vulnerability management program that employees often overlook. Employees should report both attempted and successful social engineering attacks. Management needs to be extremely supportive of employees who report these attacks, even when they were successful. It is easier to stop ten successful attacks that were reported than just one unreported attack. Ensure that employees have an easy way to report phishing emails. Some clients make it as easy as a click of a button. You could also have an internal form or a number that people can call if they receive a vishing call. When these are determined to have malicious intent, spread the word around the company. When employees are notified of these attacks, instruct them to not share that information with new calls, as the caller will simply adjust tactics.
Summary
A social engineering vulnerability management program follows all the same steps as a network program. First, knowing what you need to protect. Second, putting policies in place to protect them. Third, frequent testing, updating where needed, and proper reporting methodology. When you stay on top of these steps in a positive, supportive environment, you are adding another layer of defense in depth.
Image Link:
https://depositphotos.com/stock-photos/masonry.html