By Daniel Jetton, Vice President of Cyber Services, obxtek
The weakest link in most network security is human; however, recent research has determined an effective, three-part process to mitigate the human factor vulnerability.
The human factor
Many cybersecurity experts consider the greatest threat to network security to be the manipulation of people to circumvent protocols. People are the wildcard because firewalls, intrusion detection, doors, and passwords are predictable. People less so.
The manipulation of people to penetrate a network is defined as social engineering. Hackers prefer this psychological, non-technical attack method because using human interaction to subvert security protocol is easier than penetrating a network using direct means.
Mitigating social engineering
Despite the prevalence of social engineering, research shows that mitigation can effectively be broken down into a three-step process.
The research demonstrates the relationship between cybersecurity training and reduced social engineering incidents. The study concludes that three steps must be taken to counter social engineering and mitigate the threat:
- Awareness/knowledge introduces the user to threats and the need to be
- Training prepares users to address and act on threats to minimize loss by
- Reinforcement ensures users remain vigilant in their activities to combat social
The process has been named the Rampart de Troika (fortification of three).
Figure 1. Jetton’s Rampart de Troika.
Awareness is the first step in confronting social engineering threats. Here, a user is introduced to the tactics of the social engineer, such as vishing (telephone), phishing (email), and smishing (text) exploits. Within this step, users must learn the value of information as well as sources of exploitation used by social engineers.
Training is the next step. Once awareness is created, users learn what to do and what not to do. Users learn to not only protect their valuable company information but to also actively defend against engaged social engineers.
- Whether conducted in a classroom or online, training must be as hands-on and realistic as possible.
- Training must be consistent, which means everyone at the company must have the same information and
- Regardless of whether training is internally or externally sourced, it must reinforce what the company values and deems important while teaching users how they can avoid and/or mitigate social engineering
- The training should cover, at a minimum, disclosure of personal information, policy review, effective destruction of old data, credentials, challenging individuals, physical security and techniques/motivations of the social
The standard should be no less than quarterly training so that skills and vigilance do not diminish over time.
Reinforcement is the last step in the Rampart de Troika. Because unused skills lose their effectiveness, a company must not only actively test its staff with social engineering cold calls, phishing emails and chance meetings, but also notify employees that it will test them to ensure retention.
As in most cases, an important part of reinforcement is emphasizing the positive through incentives. Those who follow the proper protocol in response to any security incident should be rewarded with recognition. A mention in the company newsletter, an email, gift card or any other form of acknowledgment is satisfactory in letting the user know they are doing the right thing. It is imperative that organization leaders recognize staff if they do the right thing, catch a mistake or foil a social engineering attempt. The ultimate result is that the staff member is recognized, other staff recognize what positive behavior is and follow the example and potential insider threats take note and reconsider any negative actions.
About the Author
Daniel “Dan” Jetton is the Vice President of Cyber Services for obxtek. He is responsible for leading and defining cyber strategy while ensuring security, defense and risk mitigation for his clients. Obxtek’s accomplished teams have an established reputation for consistently and efficiently achieving goals for its portfolio of federal government customers. Dan Jetton, MBA, MS, MA is a CISSP, CAP, and PMP with 20 plus years of military service. He can be reached online at https://www.linkedin.com/in/danieljetton/ and at the obxtek website http://www.obxtek.com/. You can follow him on Twitter @cyberphalanx for cybersecurity news.