Countermeasures to social engineering attacks

Dumpster Diving

One simple way to help stamp out dumpster diving attacks is to bring in suitable waste management, this can be done by investing in a secure waste management service so social engineers can't gather information about your organisation from the dumpster and use it to launch spear-phishing or other targeted social engineering attacks. Policies on how to deal with waste should be put in place, this could include:

- Shredding all paperwork for example important SAAS or banking documentation that may contain sensitive information in a crosscut shredder before being recycled

- Completely destroy hard drives and other storage devices that can retain memory prior to disposing of them correctly

Shoulder Surfing

There are many ways to help reduce the risk of someone peering over your shoulder and seeing your sensitive data, these are some suggestions you should implement when entering personal information into devices or filling out forms during lecturers, in study areas or on public transport where others can see what your doing:

- Angle your device so that other people cannot see what you are typing

- If possible, sit or stand with your back to a wall when entering a password on a device in public

- Stand in a quiet spot away from crowds of people

- Shield forms from viewing when filling out paperwork in public

- Use strong passwords to make it more difficult for someone to try and guess what you typed

- Remember to lock your computer or device when you leave your device unattended

- Use a privacy screen to make your screen less visible to others

- Try to avoid opening personal accounts in public altogether

Tailgating (and other physical social engineering attacks)

Physical attacks must be taken as seriously as any other form of attack this means having security measures put in place at all physical entry and exit points to an organisation’s facility. All assets should have some sort of protection and monitoring setup to make sure only authorised personnel have access to restricted areas and resources. Some countermeasures include:

- Automatic locking door

- CCTV

- Photo identification badges

- Biometric access technology

- Visitor badges

- Sign-in sheets

Making use of auto-locking doors helps deliver a safeguard for when legitimate members of an organisation forget to upkeep security protocol. These kinds of doors help to diminish users forgetting to lock entry and exit points that can lead to restricted areas or shielded resources such as university/college labs where expensive equipment and devices are being held. Auto-locking doors can be seen as a similar security measure to that of the auto-lock feature on PCs to ensure the access to restricted data is kept secure when users forget to lock their device. Organisations should make clear the danger of tailgating to its members when entering or exiting secured locations. Attackers may attempt to exploit an individual’s courtesy of holding a door open for someone in hopes of entering an unauthorized area. Students may find it rude to let the door shut behind them when another individual is trying to pass through the door, but this should be encouraged as it is for security purposes. This tactic further ensures the locking doors are not defeated via any social engineering attempt.

CCTV can be implemented to add a logging mechanism as well as provide a deterrent to any engineers who plan on carrying out a physical security attack. In addition to providing a way of tracking users entering and exiting facilities, they can also be used to survey the lead up to an event, during the event and post-event, which can help build a police report and be used as evidence in a court of law.

Identification badges for example student cards are also another well-exercised method used to prevent unwanted individuals from gaining access to restricted areas. When this method is used, some form of holographic overlay or sticker should be incorporated to ensure visual authentication can be made and to make it difficult for attackers to forge. In addition to holographic imagery, there should be some form of data encoded on the card that verifies that this individual is part of the organisation and grants or denies them permission to the different parts of the facilities.

Another system used to control access in and out of restricted areas is biometric access devices, these usually come in the form of a retina scanner or hand/finger scanner. These systems are usually very secure and hard to bypass but not completely impossible to crack, to have the best defence against social engineering attacks implement multiple counter measurements.

All visitors who attend an organisations premises should be provided with a visitors’ badge; this allows all visitors to be accounted for. Along with badges, it should be mandatory that each visitor signs a visitor log when they enter the premises stating their name, the reason for visitation, time checking in and when they are leaving make sure to sign out. Visitor logs allow you to check who was in the vicinity when and if an event occurs.

Phishing

An extremely effective way to protect an organisation and improve individuals’ knowledge about social engineering is to train employees and students as this helps improve both physical and digital security measures. It is important that individuals are regularly educated about social engineering as new attacks and ways to exploit vulnerable people are always changing. It should also be a priority to put in place some form of service that facilitates the reporting and investigation of suspicious activity such as emails and phone calls that may be directed at employees or students of an organisation. If you have received an email which you’re not quite sure about, visit https://www.ncsc.gov.uk/information/report-suspicious-emails or forward it to report@phishing.gov.uk . Security awareness training can reduce the risk that individuals of an organisation become victims to a social engineering attack which in turn protects the organisation's assets and avoids things like data leaks etc. Training should outline how to identify a social engineering attack and then how to appropriately deal with it, this could be a form of mitigation technique such as policies that must be followed or reporting a suspected phishing attack to the security team.

To prevent phishing scams numerous other techniques can be implemented but none can completely wipe out the serious risk of phishing attacks. These are some of the ways an organisation can help safeguard their staff, students and assets:

- Ensure a SPAM filter is applied to detect potential phishing emails

- Make use of a web filter to block any malicious websites

- Install an antivirus software and make sure you monitor the status of the software to ensure it is up to date as well as installing signature updates regularly to enable the anti-virus to detect known viruses

- Keep all systems up to date with the most recent security patches and updates

- All sensitive data should be encrypted

- Disable HTML emails as they can contain unwanted, mislabelled links, Web bugs, harmful active content, and worms and viruses

Classification of information is also a good way to ensure that data is not leaked to attackers. This is done by setting the different levels of data depending on their importance and confidentiality. A simple way of doing this is by laying out guidelines to staff to indicate the classification of data, data that is recognised as being the least sensitive would be classed as public data and would require very little security requirements to store and handle this data. On the other hand, data that is seen to be confidential is in the highest level of security classification and would contain the most sensitive data. This sort of classification is a good base level for the security of data and helps keep sensitive data where it belongs.

Access privileges employed with classification can aid security and provide a better chance that data cannot be obtained by unwanted attackers. Access privileges can be controlled through the user access control feature found on most operating systems, this ensures that users are who they say they are and that they have the appropriate access to data. If an organisation provides users with unnecessary system privileges, then there is a higher chance that theses privileges will be exploited, or users will be manipulated by attackers into taking advantage of complete access. Users should be provided with just the right amount of privileges which will be determined by their position in the organisation i.e. students only having access to read materials published to the intranet and uploading to certain things but lecturers can have the ability to read all as well as being able to upload materials more than the students but still not as many privileges as a technical support staff member would require. This way less privileged users couldn’t just delete all files uploaded by a lecturer and ruin the intranet.

Making use of password policies is also another good method of making sure data is kept secure. Some of the most commonly used password policies are the following:

- Password age policy, this will prevent users from keeping the same password instead they will have to change it periodically for example once every 3 months, this makes it harder for attackers to guess passwords

- Minimum password length policy, this will make it necessary that a certain amount of characters is used when creating a password usually a minimum of 8 is standard. Having a long password makes it harder to guess or crack but having an extremely long password is also harder to remember so there must be a happy medium between the two

- Password complexity policy, enabling this policy makes it mandatory that a specified complexity level is met when creating a password. Things that can be made requirements when using this policy is; uppercase, lowercase letters, numbers, symbols etc

- Account lockout policy, this policy allows an account to be locked after a set amount of failed password login attempts has been met which lets accounts that are potentially being target by an attack to be locked