The Newberry Group Blog


Archived Categories

Sort By: Title   |   Blog Date
Thursday, March 13, 2014

Case Study: Ensuring Network Health with ForeScout CounterACT

Newberry Blog | ForeScout Logo and CounterACTChallenge:

A large Midwest firm wanted to allow employees and guests to access to their networks and internet regardless of the device being used. They also wanted a way to ensure anti-virus and security vulnerability patches were up-to-date on their own Windows devices.

The company needed a solution that provided visibility of their network and attached devices, provided an agentless capability, and was easy to install and manage. Compatibility with the client’s current switch and MDM vendors was another key factor as well as ensuring it could move forward with a future global deployment.

Solution:

Newberry partnered with ForeScout to provide a plan around the CounterACT solution. The client tested the solution for more than a month to ensure that the product worked well with the existing infrastructure, that it was easy to use, and that it would not cause network disruption.

CounterACT also provided the organization with a large amount of instant information they did not have access to previously. Now they can see who’s connected to specific switches, see who was the last person to log into the network on a specific Windows PC or user IP address, then enforce policies against those devices and machines attempting to connect.

Results:

Forescout CounterACT enhanced the health of the customer’s network by providing:

  • A more efficient and effective way to control network access (authority to connect) and ensure endpoint compliance.
  • Real-time inspection and easy manageability of guests, contractors and employees using a variety of devices to connect.
  • The ability to enforce security policies to only allow devices on the main network that have up-to-date antivirus, OS, and application patches.
  • The ability to quarantine any noncompliant devices and devices with viruses and immediately reduce the threat of malware entering the network.
  • An agentless solution with unprecedented compatibility with over 16 switch vendors and multiple MDM, antivirus and antispyware vendors.
  • Fewer resources required for network access control (NAC) deployment, maintenance and administration

With ForeScout CounterACT, Newberry was able to quickly improve the customer’s network health and provide an automated solution for network access control, mobile security and endpoint compliance. Do you have a similar network access situation? Learn more about how Newberry can help.


Posted by: Tony Hausmann
 | permalink





Thursday, February 13, 2014

Case Study: Optimizing a Barracuda Web Application Firewall cluster

Barracuda Logo and Web Application FirewallsChallenge:

A Federal agency had recently purchased ten Barracuda Web Application Firewalls (WAF) from another vendor and had installed the devices themselves.  However, since the Barracuda WAF solution was new to them and the configurations were transferred from another solution, they were unsure if they had installed the devices in the most optimal setup.  

Solution:

The agency relied on Newberry for a technical review of the installation of ten Barracuda Web Application Firewalls to validate operational efficiencies, infrastructure design, and to determine if deployed security policies for protected sites were effective in protecting from external threats.

How We Solved the Problem:

After determining the intended functionality of the configuration, Newberry’s Barracuda-certified team used current network diagrams to review the logical placement of each WAF in their respective data flows to determine correct placement and deployment method.
A full review of the WAF environment was performed to determine if the services, security policies, advanced security protection features, and administrative access controls were appropriately set up to protect against external threats and comply with NIST standards and agency policies. The configuration of enabled services such as High Availability (HA), Load Balancing, Data Theft Protection and Caching/Compression were also reviewed to ensure optimal performance and adherence to Barracuda’s recommended configuration.
Our team also analyzed firewall logs and reports to identify any security vulnerabilities and made configuration recommendations to enhance performance and offer a greater level of security.

Results:

Newberry enhanced the overall performance of the customer’s network and WAF configuration by:

  • Identifying security vulnerabilities that were supported by manufacturer recommendations, industry best practices, known vulnerabilities, and compliance requirements.  
  • Providing fixes for the identified vulnerabilities
  • Offering recommendations for enhancing security and performance of the WAF and the overall network
  • Lastly, providing a report of the assessment/configuration that included a management summary and the technical findings.  

Why Newberry Group?

As one of the few Barracuda partners that can support the product line to the extent that was required by this customer, Barracuda immediately turned to Newberry to conduct this review. Newberry’s Barracuda-certified engineers brought the in-depth knowledge and experience needed to perform even the most intricate configuration and troubleshooting tasks.

Need help with your Barracuda product installation? Learn more about how we can help.


Posted by: Steve Carney
 | permalink





Wednesday, November 13, 2013

Building Effective Teams

Newberry Blog | Building Effective Teams Exceptional individual performer, or team player; which is more rewarding and which is more valuable?  Most organizations talk “team” but unfortunately many primarily recognize and incentivize individual performance.  Further, some organizations unwittingly go out of their way to attract and promote people who actually resist the idea of linking their performance to someone else or the “greater good.”  They seek out the lone wolf with the gaudy numbers for that silver bullet fix and regrettably those gaudy results are often achieved at the expense of others and the long term health of the larger organization.   It is a fact in both team sports and business that a seamlessly executing team is the best way to accomplish complex tasks and sustain long term exceptional performance.  Effectively integrated teams are also central to cutting across boundaries to get things done - - truly becoming organizationally agile and successful.

So in a short-sighted world that glorifies and rewards the individual in spite of the proven negative consequences to sustained performance, how do you assure the building of effective teams?  Fortunately experts like Michael Lombardo and Robert Eichinger have some ideas:

Practice #1:  Have a Plan.  A clearly articulated plan energizes, aligns, brings focus, encourages efficiency, and empowers.  Involve team members in creating that plan and you will only enhance their energy and commitment to “The Plan”.

Practice #2:  Run Interference.  An effective team leader has made the effort to become a “Maze Bright” organizationally agile person and is therefore an extremely good advocate for their team.  As discussed in my July 28, 2013 blog on Organizational Agility, no skill is more respected by your team. When you can go off into the wilderness of the organizational maze and consistently come back with results that benefit your team and make their professional lives easier, their loyalty to you, the team, and “The Plan” is assured.

Practice #3:   Make a Concerted Effort to Communicate and Inspire.  Show an interest in the work of your people, adopt a learning attitude toward mistakes, celebrate successes, have visible measures of success.  Invest time in understanding each person uniquely.  You don’t have to agree with them, you just have to understand them.  Give them the benefit of your thinking, particularly with respect to key objectives.

Practice #4:  Build a sense of joy and fun in the team.  Learn to celebrate wins.  Use humor and support it in others; look for opportunities to build group cohesion outside the office.

Building a “Dream Team” is not an easy task.  Blending individual talents and ensuring that you are taking advantage of each person’s strengths and avoiding unreasonable exposure to each person’s weaknesses is hard.  However, it is very much worth the effort.  High performing teams establish an uncommon trust between the team members in which individuals value the team above their own singular objectives.  Weaknesses are not considered “bad.”  They simply represent opportunities to cover for each other for the good of the team and take part in achieving a shared ultimate objective.  When the team is at its best, this exceptionally valuable behavior happens without any ill feeling, it just happens.  In the words of John Wooden, the immortal College Basketball Coach, “The main ingredient of stardom is the rest of the team.”


Posted by: Christopher Steinbach
 | permalink





Wednesday, October 30, 2013

The Responsibilities of Cleared Personnel

Newberry Blog | image of cyber handWith October being National Cyber Security Awareness Month, this is a good time to think about the responsibilities that come with having a security clearance. It’s especially timely with the recent high profile security events of Chelsea Manning, Eric Snowden, or Aaron Alexis. We may seem surprised by their actions, but if we think back to Aldrich Ames or Robert Hanssen, we see that these events are not the first of their kind.

When we obtain security clearances as government employees or contractors, we take on a multifaceted obligation: protect the technology and information that we have access to, ensure that others are doing the same, and ensure that we and our colleagues remain fit to work in a secured environment.

Once we complete the background investigation and possible polygraph process, we are given strict guidelines in how we handle and protect information from both a technological and a philosophical perspective. No matter how obvious it may or may not be, the information we access is directly or indirectly related to the safety and well-being of our warfighters abroad, our allies, our state department representatives, and even civilians. Even if you encounter information or programs that you disagree with from a philosophical, moral, or legal perspective, there are internal government avenues to voice your concern without jeopardizing the information to the general public. Choosing the avenue of public disclosure only serves those who wish to harm our interests or freedoms. That route is very treacherous, possibly traitorous and most likely illegal.

Even though you may be confident and diligent in your efforts to protect information, that doesn’t mean those around you are thinking the same way. It is equally your responsibility to be observant of the actions taken by others working with sensitive information. When suspicions arise, muster the moral courage to approach the appropriate personnel and report your concerns.  Quick action could result in stopping a serious security incident.

Lastly, we must be cognizant that we and our colleagues are displaying the mental capacity to operate in a secure environment. Working in a secure setting can easily create a false sense of security and we assume that individuals around us are just as fit to be there as we are. However, secure areas are just as susceptible to criminal activities as an urban street corner, including anything from theft to shootings. There appears to be a growing number of mentally unstable individuals who have somehow slipped through the security screening process or co-workers who are upset by a life event that feel impelled to pursue indiscriminant or directed attacks against co-workers. We must be alert to suspicious signs and have the moral courage to approach or report those who may no longer be fit to work in a cleared environment.

Some view the Mannings and Snowdens of the world as whistleblowers or even heroes. However, the information they released was not theirs to disclose or release and may ultimately seriously affect the freedoms of Americans. Conversely, attacks within a cleared setting, such as the recent Navy Yard shooting attack, raised concerns about the security screening process.  These unfortunate recent events can serve to reiterate that protecting information and maintaining a secured environment is an ongoing responsibility for everyone with a security clearance. By following tried and true policies and procedures the right outcome can be achieved.


Posted by: Steve Cadogan
 | permalink





Thursday, September 05, 2013

What Can Spiderman Teach Us About Teaching?

In 2009, a quick-thinking firefighter, Somchai Yoosabai, disguised himself as the comic book character Spiderman and successfully saved the life of an autistic 8-year boy who was sitting on the edge of a three story tall school house roof.  The child was traumatized over his first day of school and would not let anyone come close to him.  Overhearing a conversation about the child's love for super-hero's, Mr. Yoosabai quickly returned to his firehouse and put on a full body Spiderman costume which he used to make fire drills at schools more entertaining.  Returning to the school, he cautiously approached and connected with the traumatized student. "I told him Spider-Man is here to save you. No monster will hurt you now." The child reacted immediately by walking toward the familiar character and was safely removed from the danger. (Read full story and see photos here)

Newberry Group Blog | icon of teacher at blackboardWhat does this heart-warming story have to do with effective teaching methodologies?  Well, there are some critical similarities between this rescuer's actions and being an effective instructor.  Let's review some of key factors of the child's stress.

Apprehension

The child was trying to escape from a learning environment because he was anxious about school.  He obviously felt alone, afraid, worried that he wouldn’t fit in, that he shouldn't be there and probably many other feelings that some students feel when starting a new class, regardless of their age.

Unfamiliarity

Many of the feelings that he was experiencing most likely stem from the fact that he was in an unfamiliar place; he could not find anything in the new environment that he could associate with.  This feeling only compounded the problem by contributing to his stress and was a significant factor in why he would not allow anyone near him.

Isolation

Because of the factors listed above, the child's "fight or flight" instinct was invoked.  He could not fight the fact that the school house was there, nor could he fight the fact that he was there.  So he decided to take "flight" away from all of the stress factors associated with the educational process.  Unfortunately, the flight option that he chose was a drastic and dangerous one.

Newberry Group Blog | Image of training classroomThe three negative, stress-inducing emotions listed above are experienced by all students at some point, even adults.  Despite the misconception, adults who are sent to training sessions don't view the time away as a work-free "vacation"; they are required to come to the training.  Based on comments from my previous students, a two-week training class can be one of the most stressful periods of a student’s life. The critical question is how can instructors help combat and at the very least reduce the feelings of: apprehension, unfamiliarity and isolation.  I'd like to offer some suggestions.

Apprehension

Surprisingly, it is actually easy for instructors to forget that many of their students are not at all familiar with the class material.  Instructors need to address this at the beginning of the class and repeatedly stress that it's OK if they have never used Linux, logged into a router or taken apart a computer.  Tell the students to use you as a resource like they would a textbook.  I have literally told students that if they don't ask questions, there's no reason for me to be there and I'd be out of a job!  I usually see several smiles from students after I've proclaimed this light-hearted statement.  Emphasizing that you're there for them and that you're approachable will benefit all of the class members.

Unfamiliarity

It makes sense that students will not be familiar with the class material, otherwise there would be little need for them to attend.  One of the main jobs of a technical instructor is to take an abstract and technical subject and parallel the material with something that is "real world" and tangible.  For example, try using an office building’s directory as a comparison to a storage media's file allocation table.  Compare a real-life highway's congestion and slowing issues to a network's congestion and slowing issues.  Try comparing a situation where 16 children want your attention to the way a computer interrupts requested work.  I've found using children in analogies to be extremely effective because most adults are parents, or at the very least they were all children at some point.

Isolation

I previously mentioned that many adult learners are required to attend training sessions in order to learn a new task and that training is not a vacation.  They will be expected to use the skills they are learning to complete a new responsibility, or in some cases they must pass the class in order to maintain their current position.  Because of this, students experience stressful isolation even before the class begins!  The feeling of isolation of which I speak exists between the student and the class material; it's not between the student and the instructor or other class members.  Many of my former students willingly admit that they initially felt that their knowledge and experience were worlds apart from the material being taught.  I believe that one way to break this isolation is to make use of an acronym - "WITFM" 0r "What's In It For Me"?  If students discover a direct connection between what is being taught and how they will use it, they will be more receptive and motivated to learn the material.  This discovery can be nurtured by the instructor using phrases such as "When you notice this problem at your work site, you can ..." or "When you are out in the field, you may see ..."  Giving the student a practical reason to learn the material can greatly aid them in comprehending and retaining the information.

Using these methodologies, an instructor may significantly help in subduing the considerable and impeding stress that all students feel at some point during the learning process.


Posted by: Michael Kobett
 | permalink





Wednesday, August 14, 2013

Employee Data Protection: Securing Your Most Valuable Asset

Graphic Folder with Lock | Newberry Group BlogProtecting employees’ personal data is a big responsibility that falls on the shoulders of anyone who has access to create, store, handle or view personal information that is contained within Personnel and/or Accounting records.  Federal regulations in the Privacy Act of 1974 hold government agencies accountable for the proper management of personal information, which raises the concern for how private employers protect their employees’ personal information.

Personnel files should always be maintained with utmost care and confidentiality and only shared with others on a need-to-know basis, and with the express written consent of the employee, as required by law.

While there is an endless host of actionable possibilities to protect our employees’ personal data, it is important for employers to adapt some commonsense practices, which may include:

  • Never respond to outside inquiries, other than job title, dates of employment, and employee status, for employment verification without prior written consent from the employee.
  • Develop policies and procedures with your IT department and use up-to-date technologies to protect personal information that is maintained in electronic format. Develop internal controls, such as limiting the number of people who can access personal information, as well as limiting which data each individual can view.
  • Safeguard all paper copies of personal information under lock and key with restricted access
  • Only collect information from each employee that is required to pursue the company’s business operations and to comply with government reporting and disclosure requirements.
  • Always keep  the medical history of an employee in a separate file with restricted access
  • After employees are terminated, keep their files in your records in accordance with applicable state and federal laws. You can learn more about federal requirements by visiting the US Department of Labor’s website or by searching individual state Department of Labor sites.
  • Have a written code of ethics and a confidentiality policy, and require every employee to sign an acknowledgment of having read the policy.  Place the signed acknowledgment in each employee’s personnel file.
  • Develop a procedure for the confidential reporting of breaches such as an ethical hotline.
  • Communicate to your employees the types of data that are not considered confidential such as partial employee birth dates, (i.e., day and month only, but not year), an employee’s company anniversary or service recognition information, etc.

The bottom line is that employers should take every reasonable precaution to protect the personal data of their employees, whether that information is held in a government database or not. Not only is it the right thing to do, it’s just good business. After all, our employees are our most valuable asset, and taking extra precaution to protect our most valuable asset is an investment that contributes directly to the company’s bottom line.


Posted by: Brinda Beasley
 | permalink





Thursday, July 18, 2013

Creating Organizational Agility

Graphic for Organizational Agility | Newberry Group blogEvery upwardly mobile professional has a copy of the Organization Chart within arms-reach - - straight lines and boxes mapping accountabilities and authorities depicting the easy and “sanctioned” routes to get things done. But is this really accurate? Organizations are staffed with people. These people all have their own preferences, insecurities, personal desires and goals hidden behind the boxes on that chart. So there is a big difference between how an enterprise is organized and how it functions. There are friends, foes, good Samaritans, gatekeepers, resisters, expediters, naysayers, influencers, etc., etc. The organizational “Chart” is a maze of personalities and ambitions at best. The key to success is to accept this reality, not resist it, and work diligently to become a “maze bright” person in the organization. As discussed last time, this starts by working hard to develop effective peer relationships but as described by Lombardo & Eichinger and others, there are additional approaches you should use to become truly agile within your organization:

Practice #1: Become more self-aware. Try and do the most honest self-assessment of your skills “getting it done” in your organization. Identify at least one person within each group you work with and ask them for feedback what you could do better working with that group.

Practice #2: Pay attention to how the “Movers and Shakers” behave. If things you are doing appear to not be working, try things you generally don’t do that have proven successful for others. You have to look beyond the surface and see what is going on in the background. Who do others rely on to expedite things? Who are the major gatekeepers who control resources and information? Who appear to be the guiders and helpers? These are people you need to know better.

Practice #3: Think equity. Understand the personal “balance of trade” within the organization. Don’t just ask for things; find some common ground where you can provide help, not just ask for it. What do people need in the way of problem solving or information? How does what you’re working on impact them? What can you “trade” in return?

Practice #4: Patience. Some people know the channels to work and the steps to follow to get things done but are too impatient to follow the functional “people-driven” informal process. Developing the ability to maneuver through the organizational maze includes giving things time to run their course; taking deep breaths; and practicing serious self-control. Don’t get frustrated, lose your cool and force the agenda. Focus instead on diagnosing new paths and developing counter-moves if things really are not moving. Be mindful that personal the bridge you burn today, you may desperately need in the future.

Make no mistake, becoming “Maze Bright” and organizationally agile is not easy. That said, once mastered, the dividends are tremendous. You will be seen as a person who get things done where other fail, as someone who is committed to the organization and the good of others as well as yourself. Most importantly, you will find that no skill is more respected by your team. When you can go off into the wilderness of the organizational maze and consistently come back with results that benefit your team and make their professional lives easier, their loyalty is assured. Further, the knowledge gained by developing this skill within yourself will allow you to truly build and prepare your team to perform most effectively in the future. I look forward to discussing this critical skill next time.


Posted by: Christopher Steinbach
 | permalink





Tuesday, June 11, 2013

Social Media in the Cyber Security Space

Social Media in the Cyber Security Space | Ryan Steinbach | Newberry BlogLast fall, I started as an intern at the Newberry Group with objectives of assessing the impact of growing a social media presence, developing a strategy for social media use and executing on that strategy. After nine months, my team and I accomplished these objectives and learned a great deal about the cyber security digital community in the process.

In my relatively short, but deep dive into social media strategy and development over the last two and a half years, I’ve witnessed how different the digital communities can be. The cyber security digital community is particularly fascinating. My team found that cyber security professionals tend to fall into two buckets when it comes to social media. There are those who embrace social media due to their above average understanding of its utility, and there are those who avoid it at all costs due to their above average understanding of the risks associated with it.

This creates an interesting obstacle when engaging with the cyber security digital community. The space expects a sophisticated level of engagement, yet can also feel fragmented and reserved. It seems most companies have accepted that they need to be present on social media but there are huge disparities in utilization. Some online presences are merely place holders while others are hosting weekly webinars.

My team at Newberry decided the greatest value was between these two extremes. We saw opportunities for talent sourcing, service promotion, and partnership development, but we also needed to be realistic about the amount of capacity we could commit to these efforts. The value is there to be had, but only with the people and buy-in to capture it effectively.

Social Media Engagement | Newberry BlogWe knew we didn’t have the capacity to be active in every space or create a large amount of unique content so we focused our efforts on building out the spaces we felt had the most value and created a content strategy that balanced quality and thought leadership with consistency and practicality.

Creating a social media policy also became a critical element of our strategy. The greatest enemy of engagement is uncertainty and, in a space as sensitive as the cyber security community, assessing the appropriateness of a 140 character tweet will likely lead to abandonment. We want to be as explicit as possible about our internal expectations for social media because we believe it will remove that uncertainty and foster greater internal engagement.

The development of a social media strategy and policy that balanced value with capacity is the product of what has become my biggest take away from my time at Newberry. I’ve learned that the benefits of social media do not appear over night. Early wins can be few and far between. But, sustainable and consistent execution of social media builds equity in a digital community that eventually translates into real company value.

This kind of sustainability requires a hard look at where a company can be most effective and then tailoring that to the company’s internal capacity. Instead of leaving social media to the intern as many companies do, my team decided early on that there was no point in me doing any of the day-to-day social media work. Instead, I focused on strategy and setting up Newberry’s internal structure – things that once set in place can be utilized with minimal maintenance.

I’m confident that as I leave Newberry my work will be appreciated, not missed. I’ve helped give Newberry the tools to continue to build value in the cyber security digital community on their own. While this was not part of the three original objectives I had going into the internship, I believe it is by far the most valuable and can serve as an example to others in the space.


Posted by: Ryan Steinbach
 | permalink





Tuesday, May 14, 2013

Developing Effective Peer Relationships

Developing Effective Peer Relationships graphic | Newberry Group BlogBeing “Action Oriented”, having “Career Ambition”, being excellent at fostering a “Boss Relationship”, maintaining “Customer Focus”, and excelling at “Directing Others” are critical to growing into a management role and being effective in that role.  However, these vital competencies can often get in the way as one moves from being an effective manager to becoming an effective leader.  Career growth early in one’s profession often is dependent on being effective “up and down”.  Building trust and credibility with clients and bosses (up), and effectively directing those junior to you (down) to achieve superior results is of paramount importance.  However, as one’s responsibility begin to expand to support scale within an organization it is imperative that individuals begin to work “across” and foster effective peer relationships.  Learning to work “across” is in fact the essence of organizational leadership.  Leaders are able to achieve positive results for the organization even when they do not have direct power and control over all resources involved in the activity.  Leaders are able to work through influence; trading on mutual respect and goals, share credit and rewards, and build and grow trust.  This highly valued ability leads to a more efficient use of time and resources by easing the exchange of ideas and talent across the organization.  Managers direct their people.  Leaders make the whole organization better.  Certainly this requires putting one’s ego on the back-burner but the rewards for those that do are huge.  You become recognized for being someone that can work and be effective well beyond your direct span of control for the good of the organization.  How do you make this transition?  Fortunately, Lombardo & Eichinger and others offer some suggestions:

Practice #1: Curb your Competitive Nature.  If peers see you as excessively competitive, they will work to cut you out of the loop and sabotage your efforts to work across organizational boundaries.  Always offer an explanation for your thinking and invite others to explain their point of view.  Resist “staking out a position” and focus on generating a variety of possibilities.  Invite, and accept, criticism of your ideas.

Practice #2:  Separate working smoothly with peers from personal relationships.  Remember, you are not forming friendships, you are avoiding “one-upsmanship” and the “not invented here” phenomenon in all your organizational interactions.  You are keeping your ego and pride in check for the good of the organization.  That is the reputation you seek to build.  You don’t have to “Like” everyone.

Practice #3:  Avoid the water cooler banter.  If a peer does not play fair, avoid talking about it with others.  Talking about conflicts with others will often backfires on you by undermining the trust you are attempting to build with other peers.  Confront the peer directly, privately, and politely and give them a chance to save face.  Explain the unfair situation and its impact on you.  Even if you don’t totally accept what is said, you have set the stage for an improved relationship going forward.  More importantly, you will reinforce your reputation as a person who can be trusted even when there is a conflict.

Practice #4:  Keep a balanced Scorecard.  Watch out for “winning” too much.  Look for appropriate opportunities to grant concessions you can live with even if they are not what you wanted ideally. You want to foster a desire in others to work with you again and again.  If you are seen as leader who has a strong point of view but is willing to cooperate and compromise with others that favor will be returned when it matters most.  You will create an army of influential peers who are all to ready to support your position because you supported theirs in the past even when you did not totally agree.

Make no mistake; learning to achieve results through influence alone is a tough skill to master for ambitious people.  However, the fact remains that those who leave positive impressions get more things done more efficiently than those who leave cold impersonal impressions.   Learning how to build and sustain peer relationships is the cornerstone for developing organizational agility.  I look forward to discussing this this vital skill next time.


Posted by: Christopher Steinbach
 | permalink





Tuesday, April 16, 2013

Social Engineering through Social Networking: Defending Your Organization

Newberry Blog - Defending Your Organization graphicHuman beings are the weakest link in data protection. Social networking has made this weakest link, even weaker.  Social engineering continues to be one of the most leveraged attack vectors for targeting an organization’s electronic data or IT systems.  Historically, a social engineering attempt would consist of an unsolicited phone call or e-mail. Attackers would attempt to obtain reconnaissance-related information from an unsuspecting employee or get them to click a link, or download an e-mail attachment, that would introduce malware to the system, potentially allowing backdoor access to the network.  As users have become more educated on information security, they have learned not to open attachments or click links from individuals they do not know or trust.  However, with the continued growing popularity of social networking, potential attackers can perform a more targeted social engineering attack that exponentially increases their level of possible success.  

One piece of information typically found in social networking profiles is employment information.  A quick search on LinkedIn or Facebook can reveal a list of potential social engineering targets for just about any organization.  By using the information found in the target’s profile, the attacker can craft an e-mail that looks legitimate and includes an attachment or link containing malicious software.  If an attacker determines the target worthy, they may even establish a false profile reflecting similar interests and befriend the employee, allowing them to eventually introduce the malware through an e-mail or link. 

Since it is not feasible to control and monitor what employees put on their personal social networking profiles, how can an organization appropriately defend against this type of attack?

Newberry Blog - User Education graphic1. User Education:  This has been, and always will be, the most effective tool for combating social engineering.  In addition to the typical IT security training provided by most organizations today, users should be educated on what company information is appropriate for disclosure on social networking sites and how this information could be used to exploit them.  Employees should understand that individuals they make contact with online should not be considered a trusted contact.  E-mail attachments or hyperlinks from these online contacts should not be accessed from company-owned computers. 

Newberry Blog - Policy and Procedures graphic2. Policy and Procedures:  Organizations should prohibit employees from using, or listing, their company e-mail addresses on social networking sites.  If the social networking sites are a means for networking or marketing and part of official job duties, then look at establishing a generic e-mail account with increased security restrictions that the employee can utilize.  This will allow the employee to identify any contact that is made through the site and treat it as untrusted. 

Newberry Blog - Security Infrastructure graphic3. Security Infrastructure:  A reputable web proxy with malware scanning capabilities should be utilized to scan web traffic for potential malware.  URL filtering should be enabled and sites that contain known malicious code or malware blocked.   Social networking sites should also be restricted for users that do not have a business purpose for visiting them.   URL filters typically have groups of sites that are categorized and updated to make this process easy.  Finally, a spam filter device or service should be used to scan inbound e-mail for malware and filter unwanted e-mail.  Some spam filtering devices also have the capability to scan outbound e-mail for sensitive information such as social security or credit card numbers; this is commonly referred to as Data Loss Prevention (DLP). 

With employees advertising more personal information on social networking sites, we can expect to see a continued increase in targeted social engineering attacks.  As with any security threat; a layered defense strategy is the best defense against social engineering attacks. 


Posted by: Steven Carney
 | permalink






123
Page size:
select