![]() ![]() It can include characteristics of the system they are attempting to gain access to, particularly in terms of the potential for disruption in the case of an attack. But the context could include other context about the user, such as detailed charactristics of the device being used, the typing speed and other key-stroke characteristics, and so on. For example, a login request by an administrator is normally evaluated just in terms of credentials such as username and password. That is, it takes advantage of rich context about the user, the requested resource and the environment in ordr to make a decision about whether a user is who they say they are and whether they should be allowed access to a requested resource. ![]() Used by permission)įirst, it is risk-based. In parallel, technologies like adaptive authentication are also needed, so that enable the organization to detect attempts by an attacker to use stolen administrative credentials to gain access to control system.Īdaptive authentication includes three critical capabilities, illustrated in the diagram below. Technologies that remove social engineering attacks before they reach the user: tools like email filtering, blacklisting and whitelisting, have to be enhanced by information-sharing processes that leverage a broad range of intelligence sources. ![]() This same approach has to be applied within the real-time processes for authenticating users and evaluating requests for access. Based on comprehensive visibility to detect possible attacks, this approach employs a broad range of analytics to understand and prioritize those attacks, as well as technology and processes to respond quickly and effectively to those attacks. To respond to that situation, organizations have to employ the analytics-based approach often called “intelligence-driven security” . An organization has to expect that some social engineering attacks will get through that protective net and some users will fall victim to those attacks. But as I had suggested in an earlier blog, important as education is, it isn’t enough. The focus in many organizations is on education as the way to help users – including control system administrators – recognize and avoid social engineering attacks. What can anyone do against this on-going threat? The 2014 “The Hacker Always Get Through” report from SANS Institute re-confirmed the on-going risk of social engineering attacks as the launch vehicles for cyberattacks against all industries, citing the 2013 attack against the South Korean industry. As long ago as 2001, the SANS institue defined attack scenarios that used various social engineering techniques to gain access to control systems. These issues apply to attacks on electric utilities, as well as every other industry vertical, government and academia. And the Verizon Data Breach Report 2015 reported that more than half of all APT attack campaigns starting with spear-phishing and other social engineering attacks. Similarly the RSA Cybercrime 2015 report published in April, calls out the increasing use of water-holing attacks as the ways in which attackers begin their campaigns against an enterprise. Those results show that phishing and other kinds of social engineering attacks were the most common attacks within enterprises in 2014, with nearly 70% of respondents citing phishing as having resulted in exploits in the enterprise, and 50% citing other social engineering attacks, including water-holing attacks, SMS phishing (SmiShing), voice phishing (vishing) and so on. I spoke recently at a meeting of the Dublin, Ireland chapter of ISACA about the continued (and increasing) use of social engineering in cyberattacks discussed in several recent reports, including the joint report by ISACA and RSA that documents the results of a survey of cybersecurity professionals, conducted in the first quarter of 2015. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |