Like most systems integrators, we take cybersecurity very seriously because we understand that we are protecting more than our own infrastructureāwe are protecting our clientsā infrastructures as well. Cybersecurity is a complex game of identifying and securing your systems to minimize attack surfaces and remediate potential attack vectors.
In previous posts, weāve discussed how a good cybersecurity methodology includes patch management, threat detection, use of Active Directory, as well as proper network design and segregation. However, we havenāt spent as much time on the people side of cybersecurityāan area known as social engineering.
Social engineering is a broad term that describes manipulation techniques meant to gain access to private information, details, or other valuable information. In penetration tests (typically an authorized simulated cybersecurity attack used to discover vulnerabilities), social engineering is used heavily when researching the target to gather information. Such activities could be as simple as calling the front desk and asking questions or email blasts designed to determine email conventions and shared mailboxes.
Many standard security practicesāsuch as such badge turnstiles to prevent tailgating and multiple security checkpointsāare designed to harden basic attack surfaces. These practices help tremendously, but have you ever thought about what you share on LinkedIn or other social media?
Many penetration tests use hacker practices such as scouring the web for social media profiles of employees to gather as much information as possible. Details like personal cell phone numbers, full names, titles, reporting structures, software packages used, badge design, and other such details are readily available on platforms like LinkedIn. Think about it: How many employee badges showing names and ID numbers have you seen on LinkedIn? Or how many posts of laptop screens showing details like what software or internet tabs are open? And donāt forget about all the posts tagging mentors and managers.
Although seemingly harmless, all these details can be used to begin a cyber-attack. In fact, these methods are so commonly used that they have become part of a routine process for penetration tests.
Imagine a scenario where an attacker can use these details to call an employee at a large corporation pretending to be or representing their manager. They need some details or a password, or login information because it is urgent. Maybe they ask for something small to gauge compliance before making larger, more damaging requests. They could potentially call acting as IT with enough information to fake their way through a conversation. All these techniques are meant to start cracking holes in an otherwise solid defense.
Although a comprehensive training program is the best defense for situations like this, following are some key tipsāwhich we use ourselvesāto shore up protection:
- Verify identities. One of the first things we ask our employees to do is verify identities of suspicious looking emails, phone calls, or texts. This can be done in person, over the phone, or over a secure inter-company communication channel like Microsoft Teams.
- Limit information displayed on social media. Itās a good practice to look at your social media profiles and screen it for information that could be used for nefarious purposes. When in doubt, donāt post!
- Train your team. Training and routine reminders for good cybersecurity and social engineering awareness can go along away in getting ahead of these specific scenarios.
Will Aja is Vice President Customer Operations atĀ Panacea Technologies, a certified member of theĀ Control System Integrators AssociationĀ (CSIA). For more information about Panacea, visit its profile on theĀ Industrial Automation Exchange.
