|115654066 Copyright watcharakun, 2013 Used under license from Shutterstock.com |
Many people think of hackers as evil geeks pounding away at the keyboard for long hours, trying to figure out a way to gain illegal access to an organization’s digital space. Although many hackers operate in a fashion not too far off from this stereotype, they may also employ social engineering tactics which allow them to—figuratively speaking—walk through the front door of an organization’s secure cyber region. Social engineering, in this context, refers to the act of manipulating people into performing actions or divulging information that permit attackers to gain unauthorized access. These hackers exploit the natural vulnerabilities inherent in human interactions in order to bypass cyber security measures. Sometimes, the attacker takes the time to develop a personal relationship before asking for a password or other confidential information. A persistent, creative person with insight into the ways people interact may find a way to obtain passwords or other data without using any programming skills. It only takes one victim to provide the information that allows an attack on secure systems.
Examples of the social engineering approach:
- A large company has a closed group on Facebook ®. The hacker “friends” someone at the company on Facebook and then uses this friendship to gain more “friends” within the company. The hacker is approved for membership in the closed group based on the fact that he or she seems to know so many people in the company. From there, the hacker obtains even more “friends” and also learns personal facts about the company and the people who work there. He can then email “co-workers” with requests for confidential information, telling them, for instance, that they have been hacked and he needs to clean up their system. He may direct them to a rogue website, set up to look legitimate, that asks for passwords, account numbers or other data. Everyone trusts him because he is in the closed group and “friends” with many of them. Once he has the information he wants, he can easily access secure systems.
- In another example, the attacker poses as a member of the IT team and calls a staff member asking for a password in order to troubleshoot problems. Or the attacker may call the IT department itself pretending to be a high ranking executive in the company who has forgotten a password and must have it immediately.
By following the procedures below, organizations can help guard against social engineering:
- Educate all personnel. As mentioned above, a criminal employing social engineering techniques often only needs to trick one person to gain desired access. Tell your staff what social engineering is and what common tricks are frequently used. Have a security expert detail the type of information that staff should know. For instance, just letting staff know that they should never give out passwords over the phone may help to avert a security breach.
- Update all software. By updating not just anti-virus software, but all office software, companies reduce the chance that hackers may find security lapses that they may exploit.
- Document processes and procedures. By fully documenting important processes and procedures, such as change-management, attackers will be less likely to trick staff into believing a crisis is taking place and, thus, unwilling to provide confidential information.
- Classify and handle information appropriately. A clear description of which documents are sensitive and how to handle them will reduce the likelihood of a misunderstanding from a staff member if confronted by an attacker.
- Physical security. Ensure controls such as visitor logs and coded entrance doors are in place. Make sure all staff know to activate password controls on their computers when they walk away, even if just for a few minutes.
By understanding what social engineering is and ensuring that safeguards are in place, organizations may better protect themselves from this deceitful form of hacking.
Thumbnail image: 93428671 Copyright zimmytws, 2013 Used under license from Shutterstock.com