How to prevent phishing attacks with social engineering tests

A chain is only as strong as its weakest link. Unfortunately, attackers realized years ago that when it comes to enterprise security, employees are the weakest link. Rather than hammering away at servers in a company's DMZ, many attackers now take an easier route to compromising an organization -- sending employees alluring phishing emails in order to steal credentials or drop a malicious payload. Fortunately, security pros can test employees' resilience to these attacks, and reinforce good security habits at the same time.

Phishing emails are cheap and easy to send. To send the messages and gather new addresses, remote attackers typically leverage compromised hosts that make up huge botnets.. The Anti-Phishing Working Group reported that in the first half of 2009, the number of known, unique phishing sites reached a high of 49,084 per month in June. Over the past decade, phishing attacks have become extremely sophisticated, leveraging techniques such as fast-flux DNS rotation to increase resilience and mask the source of malware.

Voice phishing, or vishing, has also been used more frequently by attackers. The explosion of voice over IP telephony in recent years has facilitated mass calling, making it cheap and easy to make automated voice calls to thousands of targets. Typically, attackers will send a recorded voice message to a target, claiming that there are problems with the victim's credit card or bank account, and soliciting the target to enter his or her account number as verification. Attackers can also set up voice man-in-the-middle attacks, and capture account credentials as...

The keys to preventing phishing attacks
An organization can and should test its resilience to email, Web and voice social engineering attacks. There are multiple benefits to conducting regular social engineering tests: first, they facilitate an accurate understanding of employees' strengths and weaknesses, identifying specific sites or departments that may need extra training. Second, when conducted properly, social engineering testing is itself a key component of security awareness training, and will help reinforce positive behaviors.

It's important to remember that social engineering testing is not so much a test of individual employees as it is a reflection of an enterprise's ability to define and communicate appropriate procedures for identifying, handling and reporting social engineering attacks. Generally, when employees receive appropriate, clear incentives, then they will act accordingly.

Here are some tricks that security pros can use to conduct beneficial, accurate social engineering tests, and at the same time boost employee morale and encourage security-conscious behavior:

• Inform employees in advance that you will be conducting social engineering testing. It's a good idea to send out a reminder regularly (instead of right before a specific test).

• Make sure you have clearly defined and communicated standard procedures for identifying, handling and reporting phishing emails and websites. Your employees need to know the right way to handle social engineering attacks in order to succeed.

• Use a third-party consulting firm. In order to get an accurate test, the persons conducting the test should have limited insider knowledge. Also, you want any negative employee feelings to be directed at outsiders.

• When deciding on scenarios for email, phone and phishing website lures, remember to test for adherence to specific, well-communicated company policies. Know what constitutes success versus failure. Remember that social engineering testers, unlike real attackers, are bound by law and ethics. Only target company information, not personal information, whenever possible.

• Track the results carefully. Make sure you record detailed statistics about the number of employees who click on phishing links or enter credentials into phishing sites. When possible, analyze the results to determine trends based on department or location. That way, you can focus future training efforts where they are most needed.

• Follow up on your findings and provide extra training where it really matters. If a significant percentage of employees did not pass, schedule extra security training for everyone. If particular individuals repeatedly fail, work with their managers to provide extra incentives and training.

• Reward good behavior. When your employees succeed, offer them prizes or bonuses! I recommend that my clients raffle off an iPod or some other cool prize for all the people that passed the test with flying colors. This strengthens staff relationships with the security team, boosts morale and provides positive incentives.

Social engineering testing is a key component of regular awareness training and at the same time produces detailed information that security professionals can use to develop and target security training campaigns. By communicating clearly with employees and conducting social engineering tests on a regular basis, it's possible to dramatically improve employees' resistance to phishing and voice phishing attacks.

About the author:
Sherri Davidoff is the co-author of the new SANS class "Sec558: Network Forensics" and author of Philosecurity. She is a GIAC-certified forensic examiner and penetration tester. She provides security consulting for many types of organizations, including legal, financial, healthcare, manufacturing, academic and government institutions.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Threat Monitor,   Application and Platform Security,   Email Protection,   Email and Messaging Threats (spam, phishing, instant messaging),   Network Protocols and Security,   Enterprise Network Security,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threat Monitor Cut down on calls to help desk with cybersecurity awareness training How to detect software tampering An enterprise strategy for Web application security threats How SSL-encrypted Web connections are intercepted How a corporate Twitter policy can combat social network threats Cyberwarfare and the enterprise: Is the threat real? Software security threats and employee awareness training Newest malware threats How to defend against rogue DHCP server malware When BIOS updates become malware attacks Email and Messaging Threats (spam, phishing, instant messaging) How to secure a .pdf file Top spammer gets four years in jail for stock fraud scheme New Zeus spam poses as Social Security statements Messaging security risks have upper hand on solutions Web-based attacks skyrocket, pirating sites surge, security firms say Pushdo botnet uses Facebook to spread malicious email attachment Scareware report highlights successful business model Phishing protection begins with training, antiphishing evangelist Phishing attacks to remain a major problem, say security experts Barracuda acquires Purewire expanding Web security reach Email and Messaging Threats (spam, phishing, instant messaging) Research Network Protocols and Security Expert calls SSL protocol vulnerability a non issue How SSL-encrypted Web connections are intercepted DNSSEC deployment challenges can be overcome Microsoft issues SMB vulnerability advisory, patch pending Microsoft repairs Windows media, TCP/IP vulnerabilities How to test IPv6 infrastructures DNSSEC deployments gain momentum since Kaminsky DNS bug Kaminsky interview: DNSSEC addresses cross-organizational trust and security How to create secure Windows FTP automation PCI compliance requirement 4: Encrypt transmissions RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CAPTCHA  (SearchSecurity.com) crimeware  (SearchSecurity.com) Operation Phish Phry  (SearchSecurity.com) pharming  (SearchSecurity.com) phishing  (SearchSecurity.com) Register of Known Spam Operations  (SearchSecurity.com) Rock Phish  (SearchSecurity.com) Sender Policy Framework  (SearchSecurity.com) spam cocktail  (SearchSecurity.com) spear phishing  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.