As more organisations transition to borderless enterprises, CIOs are weighing up the benefits of embracing mobility, video and collaborative applications, such as social networking and peer-to-peer technologies, versus the threat of security breaches.
The major forces of change reshaping the global security landscape, including the shift from the virtualisation of operations to collaboration and social networking, provide new opportunities for criminals to infiltrate networks and steal highvalue business data. These changes demand that organisations rethink their approaches to enterprise security.
You’re only as strong as your weakest link
The psychology of phishing and pharming suggests that social engineering attacks are personal. Successful instigators of social engineering are constantly creating and deploying new attacks, forcing employees to recognise and deter threats that are outside of their specific security experience.
Many initial social engineering attacks were successful because they took advantage of real employee names, partial passwords or authentication schemes, and other carefully gathered intelligence to convince employees that they were involved in legitimate transactions. Hackers gathered this information largely through social means, hence the term social engineering, i.e. by listening to conversations in public places and watching people enter passwords and PINs into laptops.
Today, many hackers integrate technology into their schemes to launch even more creative, sophisticated and destructive attacks. Two examples of socialengineering techniques that integrate technology, are phishing and pharming.
Phishing elicits secure information through an email message that appears to come from a legitimate source, such as a service provider or financial institution. Pharming also takes advantage of false websites, but redirects users to the false site as they attempt to access a legitimate website.
Get highly secure mobility for your workforce
Enterprises are looking to their channel partners to shed light on best-fi t solutions for remedying this relatively unpredictable area of security management. CIOs now have a choice in supplementing employee access to corporate resources, from advanced mobile devices and different locations, with consistent, context-aware security policies.
CIOs can employ intelligent VPN or built-in security solutions and malware threat defence, as well as installing a range of security software to combat phishing and pharming. However, the best defence against the full range of social engineering attacks is a corporate-wide culture of security awareness. Like automated network defence systems that identify and repel new viruses without human interaction, a security-aware culture helps employees easily and routinely identify and repel social engineering attacks.
Creating and maintaining a security-aware culture
Security awareness is a vital defence. A security-aware culture requires top-level executive commitment and empowerment of staff at all levels to be able to challenge others.
It requires a collective vision with a core set of principles, policies and procedures, which reflect the overall vision of corporate information security. Policies could include:
Guidelines, such as the number and type of characters that each password must include, how often a password must be changed, and even a simple declaration that employees should not disclose passwords to anyone (even if they believe they are speaking with someone at the corporate help desk), will help secure information assets.
Authentication for high-risk network services such as modem pools and VPNs should use twofactor authentication rather than fixed passwords. Mobile workers are particularly susceptible to security breaches and many organisations are implementing multi-layered security to counteract attacks on the network for their mobile workforce.
Multiple layers of anti-virus defences, such as at mail gateways and end-user desktops, can minimise the threat of phishing and other social engineerin attacks.
A documented change management process is more secure than an ad-hoc process, which is more easily exploited by an attacker who claims to be in a crisis.
A classification policy should clearly describe what information is considered sensitive and how to label and handle it.
Document handling and destruction:
Sensitive documents and media must be securely disposed of and not simply thrown out with the regular office trash.
Organisations should have effective physical security controls such as visitor logs, escort requirements, and background checks.
Security-aware employees are more willing to take ownership of security responsibilities. A security-aware culture also requires ongoing training that informs employees about the latest security threats, and risk assessments that test the resistance of employees to social engineering attempts and techniques.
Security threats should be part of an overall risk management strategy.