Like most systems integrators, we take cybersecurity very seriously because we understand that we are protecting more than our own infrastructure—we are protecting our clients’ infrastructures as well. Cybersecurity is a complex game of identifying and securing your systems to minimize attack surfaces and remediate potential attack vectors.
In previous posts, we’ve discussed how a good cybersecurity methodology includes patch management, threat detection, use of Active Directory, as well as proper network design and segregation. However, we haven’t spent as much time on the people side of cybersecurity—an area known as social engineering.
Social engineering is a broad term that describes manipulation techniques meant to gain access to private information, details, or other valuable information. In penetration tests (typically an authorized simulated cybersecurity attack used to discover vulnerabilities), social engineering is used heavily when researching the target to gather information. Such activities could be as simple as calling the front desk and asking questions or email blasts designed to determine email conventions and shared mailboxes.
Many standard security practices—such as such badge turnstiles to prevent tailgating and multiple security checkpoints—are designed to harden basic attack surfaces. These practices help tremendously, but have you ever thought about what you share on LinkedIn or other social media?
Many penetration tests use hacker practices such as scouring the web for social media profiles of employees to gather as much information as possible. Details like personal cell phone numbers, full names, titles, reporting structures, software packages used, badge design, and other such details are readily available on platforms like LinkedIn. Think about it: How many employee badges showing names and ID numbers have you seen on LinkedIn? Or how many posts of laptop screens showing details like what software or internet tabs are open? And don’t forget about all the posts tagging mentors and managers.
Although seemingly harmless, all these details can be used to begin a cyber-attack. In fact, these methods are so commonly used that they have become part of a routine process for penetration tests.
Imagine a scenario where an attacker can use these details to call an employee at a large corporation pretending to be or representing their manager. They need some details or a password, or login information because it is urgent. Maybe they ask for something small to gauge compliance before making larger, more damaging requests. They could potentially call acting as IT with enough information to fake their way through a conversation. All these techniques are meant to start cracking holes in an otherwise solid defense.
Although a comprehensive training program is the best defense for situations like this, following are some key tips—which we use ourselves—to shore up protection:
- Verify identities. One of the first things we ask our employees to do is verify identities of suspicious looking emails, phone calls, or texts. This can be done in person, over the phone, or over a secure inter-company communication channel like Microsoft Teams.
- Limit information displayed on social media. It’s a good practice to look at your social media profiles and screen it for information that could be used for nefarious purposes. When in doubt, don’t post!
- Train your team. Training and routine reminders for good cybersecurity and social engineering awareness can go along away in getting ahead of these specific scenarios.
Will Aja is Vice President Customer Operations at Panacea Technologies, a certified member of the Control System Integrators Association (CSIA). For more information about Panacea, visit its profile on the Industrial Automation Exchange.