How CDW Security Services Help Defend Against Social Engineering Attacks

IT professionals understand that one of the biggest risk factors they must deal with is the human element: our habits, emotions and weaknesses that an attacker can use against us. Almost any employee is potentially vulnerable to an attacker who knows how to manipulate people to achieve an objective, whether that’s harvesting information or tricking someone into providing unauthorized access. 

Social engineering — which includes phishing, spear phishing, whaling and other scams — is by far the most popular attack vector. It is much easier to compromise individuals than to compromise technical controls, especially if an organization has done its due diligence and put up a solid IT defense.

An attacker might send an email impersonating an organization’s CEO and directing an employee to complete an urgent task. The attacker might claim to be a coworker who can’t access his or her computer and desperately needs someone else’s login information to complete a task to avoid getting in trouble. Most of us care about our coworkers and want to help them, and attackers use this good will to their advantage. 

Today, cybercriminals are doing more research than ever to tailor their attacks and apply as much psychology as they can to manipulate targets. Whether an attacker strikes a lower-level employee or a whale at the top, the strategy remains the same: leverage human emotion to convince someone to do or to reveal something they shouldn’t. Fortunately, CDW offers services that can help organizations protect themselves from these attacks.

Cybercriminals continuously evolve their attacks, which means organizations need to periodically reassess their defenses. CDW can help by using assessments to identify gaps in organizations’ network and physical security.

Our penetration tests can be scoped to include social engineering techniques, which are designed to create the most realistic situation possible using the same types of research and targeting that an attacker would employ. The goal is to help organizations be proactive in identifying vulnerabilities such as staff response to phishing, data access and so forth.

To assess employee awareness, we craft highly targeted, email-based phishing attacks to see if users can identify them as bogus requests. For employees who fall prey to these simulated attacks, we recommend supplemental training or solutions that can help them identify and report phishing email.

CDW also assesses how employees might respond to attempts to gain access to a physical location. For example, attackers could try to obtain sensitive information by getting an employee to provide credentials for a specific terminal or enable entry to restricted areas, such as a data center. 

As part of a social engineering exercise, we use a variety of strategies — some of them highly creative — to help organizations identify and understand their gaps when it comes to physical security. Just as with online attacks, research is key. If an attacker has done the research, and if they know that it’s easy to bypass physical controls to enter a specific part of a building or gain access to a terminal to obtain information, they’ll do it.

CDW uses several assessment methods to examine all aspects of an organization’s approach to security, including interviews, a review of existing controls and technical testing. This approach provides a holistic picture of where the organization is today and its goals for improvement, to help create a roadmap for getting there. 

Another way to measure maturity is to examine risk from the standpoint of compliance and cyber insurance. Many organizations must comply with laws and regulations that mandate certain controls, and this typically includes security awareness training and exercises related to social engineering. Insurance, in particular, is driving a lot of the conversation about organizational maturity and the types of controls that organizations need.

Finally, if the worst case occurs and a social engineering attack succeeds, we can help organizations recover through CDW’s incident response services.  Ultimately, the end goal for CDW is to help our customers reduce security risks and stay ahead of cyberthreats through proactive security assessment.

Story by Alex Gellineau, who has been with CDW for 13 years and has held a number of roles within the Cybersecurity organization. Currently, he serves as a field solution architect for CDW’s Information Security practice. His expertise includes risk assessment, offensive security, incident response, breach readiness, framework and regulatory analysis, and security advisory services for clients across all business verticals in the Western U.S. Alex is a Certified Information Systems Security Professional (CISSP) and he also holds certifications from cybersecurity firms such as Broadcom (Symantec), Palo Alto Networks, Fortinet, Cisco, Forcepoint and Trellix (McAfee).