Freigeben über


How to Create a Social Engineering Incident Response Plan?

Hello,

What's cross your mind when talking about Security?

Most of IT professionals and users when thinking about Security are primarily concerned about technical aspects, for instance: strong passwords' policies, Three Authentication Factors, Firewalls, Anti-Phishing, AntiMalwares, and so on. Of course, those are really important and can make a difference in terms of relative protection. Why I'm saying: "relative protection"?

Because most are unaware or do not give much attention to the human factor.

Human Factor?

A pop song comes to my mind:

" I'm only human
  Of flesh and blood I'm made
  Human
  Born to make mistakes "

Sure, we can make mistakes therefore the social engineering issues in the Security's field aren't excluded however we can work to minimize their effects.

Several Security's incidents in the customers that I have worked for, makes me believe more and more how crucial the human factor is — the techniques that attackers use to trick typical users into helping them — has become just as important for attackers as the technical element, if not more so.

Do you have a Security Incident Response Plan? That's cool.

Have you kept it up to date and exercising 'fire drills'? Nice... if so. 

Is Social Engineering at least mentioned in this plan?

Do you have a SOCIAL ENGINEERING Incident Response Plan?

My goal with this post is make you aware and give a kick-off  on this matter with some important bullets below:

 

Create a Social Engineering Incident Response Plan

  •  Put in place systems to detect and investigate potential social engineering attacks.
  • Create a virtual team to respond to attacks, and consider the following areas
    • What was or is being attacked, and how.
    • Which resources are threatened or compromised.
    • How to shut down an ongoing attack with the least amount of disruption to the business.
    • How to recover from the attack.
    • How to implement protections against similar attacks. 

 Create a Plan For Addressing Social Engineering In Your Organization

  • Determine which threats have the greatest potential:
  • Determine the resources attackers are most likely to pursue and those most critical to the business.
  • Analyze attacks that have occurred against your organization and those like it.
  • Determine where technology, policies, or company culture creates “soft spots” that are especially vulnerable to social engineering attack
  •  Determine how to address these vulnerable areas:  
    • Determine where technology or processes can be altered to reduce or eliminate the threats.
    • Create policies that make it easy for people to perform secure actions without feeling rude.

Create awareness training for those vulnerable areas that are most critical, and where technology, process, and policy may not address the problem sufficiently.
Ensure that your guidance fits well within your organizational culture; it should be:

Realistic -  Guidance should enable typical people to accomplish their goals without inconveniencing them.

Durable -  Guidance should remain true and relevant, and not be easy for an attacker to use against your people.

Memorable -  Guidance should stick with people, and should be easy to recall when necessary.

Proven Effective -  Guidance should be tested and shown to actually help prevent social engineering attacks.

Concise & Consistent -  The amount of guidance you provide should be minimal, be stated simply, and be consistent within all the contexts in which you provide it. 

 

As I said, this post may help as a kick-off. You can get more information from these sources:

1) More details on how to create a process around social engineering prevention and response can be found in:

    "How to Protect Insiders from Social Engineering Threats" on Microsoft TechNet.

2) The Microsoft® Security Intelligence Report (SIR) focuses on software vulnerabilities, software vulnerability exploits, malicious and potentially unwanted software, and security breaches. Past reports and related resources are available for download at www.microsoft.com/sir  

3) A good article for Portuguese speakers: Como proteger as pessoas de dentro da empresa contra ameaças de engenharia social

I hope that helps.

Alexandre 

Song's credit:  "Human" from Human League group.

.

Comments

  • Anonymous
    December 01, 2011
    Hi Alexandre, A long time ago I used to be a great enthusiast of social engineering and related subjects (like hacking and systems security). You know, I've never got myself into something bad, I was just interested in learn how to obtain some informations and break some security rules (maybe just for fun). When I was a teenager I spent a lot of nights reading about hacking on the internet (28.800 Kbps - lol), but then I suddenly lost my interest in such things, probably when I started working in my first job (as software development intern). In nowdays (now maybe 5 or 6 years after) when I'm writing codes, I often try to remember things I've learned reading books or websites years ago, aiming the security of my code; but I remember a book I read that changed my way of thinking about security, it was Kevin Mitnick's "The Art of Intrusion" (talks about social engineering and some other "hacking" techniques). I believe it's very hard to deal with social engineering because we're talking about people and their behaviour! So, I really believe your post is a good start to succesfully create an social engineering response plan or improve a weaker one, thanks. Keep posting! Best regards; Rick :)

  • Anonymous
    December 06, 2011
    The comment has been removed