An all-too-common problem for businesses of all sizes is cyber-attacks directed at the end users, also known as social engineering. “End users” are workers in the company who have user accounts and passwords and use desktops, laptops, tablets and other devices to interact with a company’s data and network.
Hackers and other bad guys target these end users because they have access to sensitive data and systems, their account passwords are typically easy to guess or crack, and they are often willing to open a malicious file, click on an emailed link or even willingly type their password into a bogus site.
Learn more about “Why Employees Are Your Number One Risk” in our podcast.
Protecting your company against end-user attacks requires a two-pronged approach:
- Provide your end-user security awareness training to help them be more aware of how security attacks occur and
- Configure your systems to make it harder for the bad guys to successfully get in if an end user slips up.
Tips to configure your systems and protect your end users
- Keep up-to-date with security patches provided by software vendors for end-user machines. In addition to operating system patches, be sure to patch application software such as Adobe, Java and web browsers, as older versions of those tools have well-known vulnerabilities that are frequent vectors of attack.
- Provide spam filtering for every machine, with sensitivity controls turned up. One of the most common tactics attackers use to make initial entry into a company’s network is enticing end users to click on a spam email link that installs malware. While this won’t stop every phishing attempt, if you can filter out even one, that is one fewer opportunity for an unsuspecting user to click a bad link.
- Remove local administrator rights from end-user machines. Local administrator rights give a user more power to make changes to a computer, and if an attacker gains control of a machine with those rights, damage to the network can be much more significant.
- Make sure there is up-to-date anti-virus/endpoint malware protection installed on every machine.
- Require IT personnel to use different passwords when they work on servers. Even IT administrators can fall victim to email phishing attacks when they are working on their own computer. If they click on a bad link while logged in as an administrator, attackers can gain big-time access to your network using their privileged credentials.
- Require “multi-factor authentication” for end users logging on to the network from a remote location. That means that a password alone is not enough to gain access; another form of authentication is needed. That could take the form of such things as a fingerprint, a token (a physical device that generates a code that is entered on the machine) or a digital certificate. If multi-factor authentication is in place, an attacker who successfully captures an end user’s access credentials still won’t be able to remotely connect to the network.
- Develop a security awareness program for all end users to help them understand their responsibilities when using a company computer system and/or handling sensitive data. This training should also teach users how to create good passwords (ones that are easy to remember, but difficult to guess).
- Label incoming e-mails with a special note that clearly identifies that the e-mail is from an external source. For example, have all inbound e-mail messages marked with the word [EXTERNAL] in the subject line. This simple configuration of your mail server can help susceptible end users identify a bogus e-mail message and avoid clicking on the link or file it delivers.
Taking all these measures will not eliminate the possibility of a successful cyber-attack, but it will greatly reduce your exposure to this common attack path, which just might make a potential attacker move on to a more vulnerable target.
We understand this can be overwhelming and we are here to help, learn more about our practical and actionable Information Security Program Plan service.
Mark Burnette is as shareholder and practice leader of LBMC’s risk services division. Contact him at firstname.lastname@example.org or 615-309-2447.