 |
I spoke recently at a meeting of the Dublin, Ireland chapter of ISACA about the continued (and increasing) use of social engineering in cyberattacks discussed in several recent reports, including the joint report by ISACA and RSA that documents the results of a survey of cybersecurity professionals, conducted in the first quarter of 2015. Those results show that phishing and other kinds of social engineering attacks were the most common attacks within enterprises in 2014, with nearly 70% of respondents citing phishing as having resulted in exploits in the enterprise, and 50% citing other social engineering attacks, including water-holing attacks, SMS phishing (SmiShing), voice phishing (vishing) and so on.
(graphic from RSA-ISACA report) Similarly the RSA Cybercrime 2015 report published in April, calls out the increasing use of water-holing attacks as the ways in which attackers begin their campaigns against an enterprise. And the Verizon Data Breach Report 2015 reported that more than half of all APT attack campaigns starting with spear-phishing and other social engineering attacks, employing a broad range of analytics to understand and prioritize those attacks, and ensuring that action is taken to respond quickly and effectively to those attacks.
(graphic from Verizon DBIR 2015) At this point in my presentation, one of the ISACA members in the audience asked “Given this use of social engineering, what can we do to protect our users and our companies?” The question led to a very lively discussion, beginning with the focus in many organizations on education as the way to help users recognize and avoid social engineering attacks. But as I had suggested in an earlier blog, many of the ISACA attendees felt that important as education is, it isn’t enough. So we explored two other ideas for how to deal with social engineering attacks. We talked first about technologies and processes that help protect the user. This includes technologies that remove social engineering attacks before they reach the user: tools like email filtering, blacklisting and whitelisting, enhanced by information-sharing processes that leverage a broad range of intelligence sources. It also includes technologies like adaptive authentication that enable the organization to detect attempts by an attacker to use stolen credentials. But like user education, these protective approaches aren’t enough. An organization has to expect that some social engineering attacks will get through that protective net and some users will fall victim to those attacks. To respond to that situation, organizations have to employ the analytics-based approach that we call intelligence-driven security, based on comprehensive visibility to detect possible attacks,
(graphic from RSA Cybersecurity Poverty Index) As the recent RSA Cybersecurity Poverty Index has shown, most organizations still have a lot of work to do to put in place an effective response to cyber attacks. Nowhere is this more true that in terms of social engineering attacks. We need to bring together education, preventive mechanisms and the intelligence-driven security approach of visibility/analytics/action to reduce both the risk and the impact of this continuing – and increasing – threat. This is a topic that we’ll be discussing in depth, along with many other vital issues in cybersecurity, at the up-coming RSA Advanced Cyber Defense Summit in Rome on June 23rd. I hope you can join me there! The post The On-going Threat of Social Engineering appeared first on Speaking of Security - The RSA Blog and Podcast. |
