Cybersecurity Culture
In module 4, I learnt about Social Engineering and building a cybersecurity culture. In the previous modules, I learnt that human beings, most specifically employees are the last line of defense of information assets. However, human inattention, distraction, forgetfulness, and curiosity can undermine the best information security controls. The module focused mainly on the social engineering attack vector as it pertains to exploits targeted at human weaknesses.
Social engineering attack methods can be categorised into: hunting and farming, wide-scale, and focused. In general each of the methods are executed in four phases which include research, hook, extract and exit. With the knowledge of how attackers operate, it is equally important to be able to identify potential social engineers. Social engineers can be private investigators, journalists, and outsiders. It is important to recognise that social engineers will always become more sophisticated in targeting individuals and organisations. It is imperative that organisations and individuals regularly familiarise themselves with developments in social engineering exploits.
The second section of the module dealt with aspects related to building a cybersecurity culture. Organisations and individuals need to be trained in identifying tell-tale signs of attacks whilst being able to safely engage with emails, requests, calls, and clickable link invitations. A successful cybersecurity program does not merely educate employees about cybersecurity risks, it continuously reinforces employee’s commitment to cybersecurity awareness. This awareness is supported by up to date information and appropriate training. These awareness interventions can be developed using well established Security, Education, Technology and Awareness (SETA) programs.
The SysAdmin, Audit, Network, and Security institute (SANS) has many resources that organisations can use to develop their cyber security awareness programs. SANS has published a security awareness road map document which information security professional scan use to develop and tailor SETA programs. SETA projects are designed to inform all users about policies and practices they are to adhere to and associated consequences for non compliance. Additionally, the projects develop employee skills and knowledge with regards specific security focus points for their roles. The projects are divided into three levels in order to address and engage users within their different general roles on their organisation. These levels include security awareness for staff with no technical roles, security training for general staff and managers, and security education for staff-with highly technically skilled roles. Once the various aspects pertaining to the organisation’s SETA program, appropriate teaching techniques and material are chosen to ensure that the program is effective in reaching its objectives.
What do you think the next big vector in social engineering will be?
Given that there is strong push for data protection across the world, organisations are unfortunately going to be the hardest hit by financial liability as enforced by the law. That implies that the data protection insurance industry will boom, however such ensurers still have a long way to go in developing criterion for terms and conditions that are appropriate for different organisation data security risk appetite. With the advent of working from home, I expect hunting, farming spearfishing, and watering hole attack to increase.
How can organisations and individuals prepare for developments in social engineering?
Information security officers in organisations need to perform and audit of existing SETA programs, policies and practiced to ensure that they identify areas that need urgent attention now that employees are increasingly accessing information asserts remotely. Organisations have a difficult of keeping up to date with best practices in SETA programs to ensure confidentiality, integrity and availability of information assets in an environment where attackers who may compromise employees without traditional controls as before. Organisations have no option but to adapt to allocating more resources to their SETA programs and information security controls. For example, this can be retraining employees on how to keep work computers safe from malicious programs or compromise whilst remotely working. Regular emails can be sent to reinforce awareness and sophisticated software controls can be used to detect non compliance or potential compromise of employee devices expose organisations to data breaches.
