As businesses seek to align with more comprehensive, aggressive, and effective security standards, it's important to remember that security threats often go for the path of least resistance. Not all hackers are egotistical programmers who just want to see their high-tech infiltration techniques succeed; with increased security (or promises of security) comes complacence that can be exploited with emails, casual conversation, a few sweet words, or just careless assumptions.
As you consider cyber attack response planning to meet DFS cyber regulation standards, consider social engineering and its continued dangers.
What Is Social Engineering?
How to Win Friends and Influence People is a famous self-help book that has become somewhat of a continuing meme of itself. Influence means a lot of things, from winning valuable allies to succeed in business and politics, to having a more fulfilling personal life, or to pulling off crimes that the defenders basically invite you to complete.
Social engineering is a term used to describe psychological manipulation. In Information Security (IS), it can be as simple as calling a company's help desk while pretending to be an employee or leader, then asking for that person's password to be reset for easy access. It could be as complicated as getting into a romantic relationship with high-level leadership to gain access to information.
It's spying in some cases or just trying simple things to see what works in others. To defend against social engineering, you need both training and a system of checks and balances.
Make Fake Resets Irrelevant
Employees need to verify identity before allowing access. This is not a new training point, and although your business should have training to help new--or gullible--employees avoid getting tricked, you shouldn't leave the security risk up to their integrity.
Any password resets should authenticate the specific person. For most employees, this means that the person with an affected account needs to physically visit the help desk and ask for a reset. That's a great policy, but people sneak around restrictions on a regular basis, especially when it's a high-ranking person who assumes that they're above the rules--or a frightened help desk representative who wouldn't dare argue with a high-ranking official.
Authentication can be improved with mobile devices, using two-factor authentication that must be verified by the account holder. There are ways around this, such as stealing the phone or somehow copying the phone's digital signature. To make it even harder, make sure that any password resets have logging to monitor what this suddenly reset account wants access to.
Contact a cybersecurity professional to discuss more parts of the sometimes intangible, trust-based world of social engineering protection.