Secure your SFTP server: Tip 6 - Social engineering and SFTP
This post is the last in our series on securing your SFTP server. It's time for some concluding remarks and mention social engineering and SFTP.
Firstly, never relax! Maintaining security is an ongoing task, and it is important to be vigilant - regularly checking logs, testing your security measures, and ensuring security patches are applied as they become available. Suspicious activity needs to be acted on immediately.
Secondly, be aware that many successful attacks stem from social engineering, or from disgruntled employees or ex-employees. Social engineering is when people are manipulated into providing confidential information – by calling help desks, for example, and claiming to have lost their password. Former employees may still have access to company systems, and current employees may have access to systems they should not be using. In all these cases, attackers are in possession of valid usernames and passwords, and so they are not easily detected. Many of the techniques presented earlier are of limited value when valid credentials are being used, particularly if attackers are your employees.
To prevent these kinds of attacks, certain business processes must be put in place. For example, when a person leaves the company, any credentials and access they may have should be immediately disabled. This requires the human resources department to coordinate with IT prior to the person's departure.
For social engineering attacks, help desk staff must be trained to properly identify callers, and not to give out sensitive company details. Passwords should never be disclosed. Guests should be escorted at all times while they are on the company premises. Document management is important, particularly document destruction. Sensitive documents that are being disposed of should be dealt with securely.
Phishing is a form of social engineering, and can be used to obtain credentials and other sensitive information. Phishing is usually done by encouraging people to click on email links that lead to disguised sites infected with malware. Good anti-virus software and user training will reduce the risk of employees succumbing to phishing attacks.
It's a scary world out there in cyberspace. Trying to secure corporate networks and confidential data can be intimidating when you are aware of the possible ways that your systems can be compromised. But thorough, on-going preparation based on the advice presented in this series will significantly minimize your risks.