Rampart de troika: a three-step process to overcome cyber security’s top threat

on April 14, 2019 |

By Daniel Jetton, Vice President of Cyber Services, obxtek

The weakest link in most network security is human; however, recent research has determined an effective, three-part process to mitigate the human factor vulnerability.

The human factor 

Many cybersecurity experts consider the greatest threat to network security to be the manipulation of people to circumvent protocols. People are the wildcard because firewalls, intrusion detection, doors, and passwords are predictable. People less so.

The manipulation of people to penetrate a network is defined as social engineering. Hackers prefer this psychological, non-technical attack method because using human interaction to subvert security protocol is easier than penetrating a network using direct means.

Mitigating social engineering    

Despite the prevalence of social engineering, research shows that mitigation can effectively be broken down into a three-step process.

The research demonstrates the relationship between cybersecurity training and reduced social engineering incidents. The study concludes that three steps must be taken to counter social engineering and mitigate the threat:

  1. Awareness/knowledge introduces the user to threats and the need to be
  2. Training prepares users to address and act on threats to minimize loss by

Exploitation.

  1. Reinforcement ensures users remain vigilant in their activities to combat social

The process has been named the Rampart de Troika (fortification of three).

Figure 1. Jetton’s Rampart de Troika.

Awareness  

Awareness is the first step in confronting social engineering threats. Here, a user is introduced to the tactics of the social engineer, such as vishing (telephone), phishing (email), and smishing (text) exploits. Within this step, users must learn the value of information as well as sources of exploitation used by social engineers.

Training 

Training is the next step. Once awareness is created, users learn what to do and what not to do. Users learn to not only protect their valuable company information but to also actively defend against engaged social engineers.

Training Musts:

  • Whether conducted in a classroom or online, training must be as hands-on and realistic as possible.
  • Training must be consistent, which means everyone  at the  company must  have the same information and
  • Regardless of whether training is internally or  externally  sourced,  it  must reinforce what the company values and deems  important  while  teaching  users how they can avoid and/or mitigate social engineering
  • The training should cover, at a minimum, disclosure of personal  information, policy review, effective destruction of old  data,  credentials,  challenging individuals, physical security and techniques/motivations of the social

The standard should be no less than quarterly training so that skills and vigilance do not diminish over time.

Reinforcement         

Reinforcement is the last step in the Rampart de Troika.  Because unused skills lose their effectiveness, a company must not only actively test its staff with social engineering cold calls, phishing emails and chance meetings, but also notify employees that it will test them to ensure retention.

As in most cases, an important part of reinforcement is emphasizing the positive through incentives. Those who follow the proper protocol in response to any security incident should be rewarded with recognition. A mention in the company newsletter, an email, gift card or any other form of acknowledgment is satisfactory in letting the user know they are doing the right thing. It is imperative that organization leaders recognize staff if they do the right thing, catch a mistake or foil a social engineering attempt. The ultimate result is that the staff member is recognized, other staff recognize what positive behavior is and follow the example and potential insider threats take note and reconsider any negative actions.

About the Author

Daniel “Dan” Jetton is the Vice President of Cyber Services for obxtek. He is responsible for leading and defining cyber strategy while ensuring security, defense and risk mitigation for his clients. Obxtek’s accomplished teams have an established reputation for consistently and efficiently achieving goals for its portfolio of federal government customers. Dan Jetton,  MBA, MS, MA is a CISSP, CAP, and PMP with 20 plus years of military service. He can be reached online at https://www.linkedin.com/in/danieljetton/ and at the obxtek website http://www.obxtek.com/. You can follow him on Twitter @cyberphalanx for cybersecurity news.

Show Buttons
Hide Buttons