How can you make your digital authentication resistant to social engineering?

Use of strong, unique passwords which are changed frequently with MFAs has been the best practice and has helped us. However, most of us has more than dozen credentials to manage, if not more. Maintaining it even with password vault is a challenge. I think we need to move more towards making authentication stress-free. Use of passphrase, increasing password age with MFA and considering passwordless authentication could help make authentication simple. Login notification, real time risk monitoring could compensate for the relaxed password policy. I'm not saying it is going to solve the social engineer threats.

We should set some complex password policy and comply with it and also the duration of rotating it( set the password expiry). Other than this also implement MFA. I recommend to go with authenticators because they are the most secure one MFA after the hardware keys.

Complex password policies with MFA and a reset period of not more than 6 weeks. Ensuring compliance to set policies and guidelines is key to ensuring enhanced security posture.

There is good advice on authenticators already here. I would like to point out that MFA does not solve the threat of social engineering. Even an account protected by MFA needs the account owner to remain vigilant and suspicious of any communication that requires an authenticator.

Utilisez un gestionnaire de mot de passe externe au navigateur lorsque c'est possible. Des solutions comme Keepass, Bitwarden, Proton Pass peuvent être de bonnes solutions.

You also need to be on the lookout for smishing and vishing. Verify and validate communication by a separate communication channel. Most security professionals will happily answer whether something is a phishing attempt. Why? It prevents a bad day. Also if you do respond to a phishing attempt immediately contact your security team or IT team.

Phishing, a prevalent form of social engineering, weaponizes communication platforms to breach security. It’s crucial to develop a discerning eye for phishing attempts, which often manifest as seemingly legitimate emails or messages. Scrutinizing sender details, analyzing the content for inconsistencies, and verifying embedded links are key practices in phishing identification. Caution against unsolicited attachments and files from unverified sources is also paramount. Awareness and prompt reporting of these phishing attempts not only protect individual accounts but also fortify the collective security posture against such threats.

User Education: Regularly educate users about the importance of security practices, including recognizing phishing attempts and not sharing sensitive information. Phishing Simulations: Conduct regular phishing simulation exercises to help users recognize and report phishing attempts.

Recognizing Phishing Attempts Identifying phishing attempts is key to avoiding their traps. Critical signs to look out for include: 1. Sender’s Address: Phishers often use email addresses that closely resemble legitimate ones, with minor alterations that can be easy to overlook. 2. Subject Line and Content: Phishing emails frequently employ urgent, alarmist language, and may contain grammatical or spelling errors, unlike communications from professional organizations. 3. Suspicious Links and Attachments: Phishing emails often include links that, upon closer inspection, lead to dubious websites. They may also contain attachments that are malware in disguise.

I've found that keeping a "Report Phishing" icon or something similar in sight is helpful. It being prominent in each email has allowed users to think first before clicking on anything. Phishing tests are done. Staff who fail them get sent for a course on cyber security, and have to pass a quiz.

Social engineering frequently involves deceptive interactions, where imposters pose as trusted entities. It is vital to verify the identity of any individual requesting sensitive information or access, whether via phone calls, in-person visits, or digital correspondence. Establishing a protocol for authentication and being vigilant about not disclosing sensitive information without proper verification are essential practices. This approach significantly reduces the risk of inadvertently compromising credentials or access to unauthorized individuals.

There is no valid reason to share your credentials. If your spouse asks for your username and authenticators, assume they are social engineering you. Verify identity and legitimacy before providing any information. Answering any question could assist the social engineer in targeting someone else. We don't need to help them or their AI programs to become better. They are already too good.

Sharing your password is as absurd as handing your car keys to a random person and saying, "Feel free to take my identity for a spin, but please return it with a full tank of privacy!"

One way to mitigate this is to pre-plan such activities and do cross check on identities when possible. Identity Verification should be done on all cases where the caller is unknown.

When I worked helpdesk or service desk jobs, we dedicated a lot of training to ID verification to ensure the individual is who they are. They can be information that would be hard for somebody to find unless you make it easy by mapping your org tree on LinkedIn or other social media sites. 1) Use your other line and call the caller's personal or work number to confirm it is them. 2) Ask questions about their start date, cubicle location #, their manager. 3) Plant a statement like, hey it was nice talking to you are the company event last week on the topic off "blablabla" to catch the caller in a lie. There are many creative ways to verify somebody's ID.

The human factor is considered the weakest link in cyber security, awareness training and enlightenment or users is of immense importance in safeguarding against social engineering and minimizing its impact.

Also be aware that most people can and will fall for a social engineering attack. Even security professionals. If someone from your childs school calls will you be a professional following rules or a concerned parent? If something suspicious happens, contact security or IT. Our job is to support the business, we would love to either appropriately respond to an attack or ease your mind.

In today's cybersecurity world, education is crucial. Just having the right tools isn't enough. It's like having a strong lock but still sharing the key with strangers – not a wise move.

The most effective way to combat social engineering is to run exercises; prepare social engineering exercise scenarios, execute exercises bases on them, and use the results to periodically train your workforce.

Education is paramount but it must be interactive and as realistic as possible to be the most effective. Power pointing your users to death with slides and security awareness training is not effective on its own as malicious actors continue to abuse by exploiting this grey area in scope. Simulate attacks, phish your own users because it is the most effective way to teach them situational awareness. Once they are aware of these scenarios, their detection meter becomes tuned to the situations they would face.

I think this article was written for non-security professionals. I think it will be read by mostly security professionals. So I'm going to speak to them in this section. Certainly many of us are doing what we can to help and support our organizations. But I have seen that there are some that are still trying to induce fear or negatively incentivize their users. I don't think that is helpful in the long term. You're eroding trust. So instead be helpful. Find products that limit the likelihood of successful phishing. Thank everyone that brings up something they find suspicious.

It is not as grim as people might make it sound or portray. Surely social engineering aspect important but problem arises when you focus entirely on tools and policy implementation and not the human aspect of educating the employees and users inside the organization about what to expect and how to respond to various components that leads to successful social engineering attack like FOMO, time bound action, etc. It takes time but soon the weakest link becomes the strongest gate keeper.

I believe that making IT easy and accessible for non-security professionals is the best way; get the involved before implementing anything; observe them and consider their habits, and psychology. The last thing that people want is to have difficulty in accessing system they need to do work. Let's make them simple, secure, and resilient.

Pensez à vérifier régulièrement votre empreinte numérique. Les informations personnels que vous révélez sur les réseaux sociaux par exemple, peuvent être utilisées pour personnaliser une attaque par spearphishing et vous faire baisser la garde.

It is complicated, because it goes against our socialization instinct, but publishing a lot of data that can be used for social engineering is delicate. You must have a practice of limiting this type of information, which allows you to profile a phishing attack. Even more difficult, but essential, is to educate our close ones. Many professionals in the area are attentive, but our family members are very vulnerable. Multi-factor authentication (MFA) is a good practice.