Social engineering is the process of attacking the human, or employee, rather than the technology directly.  Through social tactics, an employee is tricked into performing an action, such as installing malicious software, divulging information, or performing an authorized transaction.  The theft of user credentials is a significant risk from social engineering.
 
According to the Verizon Data Breach Investigations Report (DBIR), 29 percent percent of data breaches involved theft of user credentials.  Read other highlights from the Verizon DBIR here
user credential theft is a social engineering and phishing threat
Through the theft of user credentials, an attacker is often able to use these credentials to conduct perform malicious or unauthorized activity.  Depending on the organization's security structure and the types of credentials obtained, the attacker may be able to perform the attack directly, or may need to escalate privileges.
 
Like other areas of security, a layered defense is critical to minimizing the security threat.  Key controls to minimize the threat of user credential theft include, but are not limited to, the following:   
 
Train employees to be vigilant for phishing threats.   Employees are often the weakest component of a layered security defense.  Continued training and testing is critical to improving human behavior.  
 
Implement multi-factor authentication.  Through the use of multi-factor authentication, it is much more difficult for an attacker to obtain complete authentication credentials.  As such, the risk for the organization from the theft of user credentials is much lower.
 
Establish a "least privilege" concept for user access levels.  Should an account be compromised, the less access the account has the better. For example, the compromise of an administrative account, which can add users, change security settings, etc., would be more serious than an account with view only privileges.  For this reason, an administrator should not use such administrative level credentials for daily activities that do not require such access.  
 
Enable monitoring.  Access to key accounts or functions should be monitored.  As such, if a key account is compromised, the organization may be able to identify the compromise before significant damage occurs.  
Require dual control for key transactions. Any key or high-risk transaction, such as the movement of funds in a financial transaction, should require dual controls.  The likelihood of two accounts being compromised is significantly reduced.
 
Segregate networks into security zones.  Key areas of a network should be segregated to allow additional controls, such as monitoring or multi-factor authentication. Through proper segregation, key assets can be further protected without the overhead and cost of implementing the controls across the entire organization.   
 
These controls help minimize the the likelihood of a stolen user credential, or minimize the impact should a user account be compromised.  For additional security controls to help minimize the threat from social engineering, please review the security controls document on our resources page.
 
PhishingBox provides tools and resources needed to train employees against social tactics.  Such training can be accomplished via our do-it-yourself platform, or through our fully-managed Socially Secured Program.  Contact us today to learn more.