In the modern world, cyber security is something that affects everyone, whether or not they are consciously aware of it. Digital safety is paramount, but it is something that many people do not properly understand. As security professionals, it is easy to fall under the assumption that non-technical people will follow the same best practices that may be more common knowledge in the information security industry. This assumption can be dangerous, and training users on the importance of security is vital.
The people of an organization are what makes it what it is, but unfortunately, they can also be the weakest link when it comes to security. Attackers are very skilled at deception and abuse of common human tendencies. Employees should understand what attackers are commonly trying to do and ways that they can protect themselves and the organization from these attacks. With how rapidly attack techniques change, this training needs to be as rapidly evolving.
Around 91% of attacks start with a phishing attack (https://www.yeoandyeo.com/resource/91-of-cyberattacks-begin-with-a-phishing-email). While careful filtering will go to great lengths to block these attacks before they get to the target victim, the use of legitimate tools by criminals can bypass these filters. Users need to be cautious of any emails that they are receiving, even seemingly innocuous ones. Hackers will abuse common human tendencies, such as panicked decision-making under pressure, to try and force their victims to fall for malicious communications
While emails are the most common avenue for social engineering, attacks via other methods of communication are still possible. Users may be less cautious of lesser-known attacks, but they can be just as dangerous. Attacks are rapidly evolving as technology evolves. The prevalence of AI tools can now allow attackers to easily replicate the voice and mannerisms of someone the victim will know for phone-based social engineering attacks. Hearing a trusted voice will often cause users to not even think twice about giving away sensitive information, so extra care must be taken to avoid attacks like this.
Another common threat is users implementing weak passwords. Password policies will only go so far in causing users to use safe passwords. A prevalent password such as ‘Password1!’ will meet typical password policies while still being incredibly easy for attackers to guess. Users should be taught proper password procedures and the dangers of weak passwords.
Another concern with passwords is employees using their work credentials for non-work purposes or reusing passwords. People have a tendency to reuse passwords since it is far easier to remember than having a unique password for each service. This can be easily exploited by an attacker if an employee is using their work email with a reused password for a service that suffers from a data breach. Even if they do not use their work email, if an attacker is able to tie a personal email to their work email and find the personal email in a breach, the same attack can occur.
One often overlooked security concern is employees working with or discussing sensitive information in a public place. An employee working in a coffee shop could be an easy victim for an attacker simply sitting near them in the same coffee shop and listening to a potentially sensitive phone conversation. Hackers can also run certain tools if they are on the same physical network, which could lead to data or credentials being stolen. It is crucial to teach employees what is acceptable to discuss or view in public settings.
Mitigations for Systems Administrators
While user education is a vital part of security, there are many steps that can be taken by administrators to keep employees more secure. Implementing simple security measures to keep employees safe can significantly reduce the risk of attackers being able to compromise the network. The impact of social engineering attacks can be massively reduced by proper Multi-Factor Authentication (MFA). This means the attacker would need access to their second authentication factor and credentials harvested from the social engineering campaign.
Proper password policies can also be a great way to protect accounts. There are services that will disallow users from configuring common passwords that can protect against password-spraying attacks. Forcing users to use long and sufficiently complex passwords will help immensely, but it is essential not to make the requirement arbitrarily complicated. Administrators should also enforce regular password changes, though not too regular, as this will lead to users possibly just making minor tweaks to a weak password.
Test Your Security Posture With Blue Goat Cyber
We can help your organization identify security weaknesses through our range of services. Our team can perform social engineering campaigns, security audits, and penetration tests to see how well your security holds up under attack. Contact us to schedule a meeting.