What is “social engineering,” and how do you prevent malicious attacks such as phishing? I’m sure many of you have heard the term before, but you may not quite know what social engineering means. There are many forms of Social Engineering; however, when we talk about baiting, phishing, and tailgating we’re not talking about a fun weekend at the lake.
When it comes to the realm of data security, ‘social engineering’ refers to using social means to gain entry into a system, building, or storage of information.
One example of social engineering you might remember from the movies is the scene in the film “Hackers,” when the hero gains access to a TV station by tricking a security guard into revealing the phone number of an internal modem, which he then uses to take over the station. According to Kevin Mitnick, a reformed computer criminal turned security consultant, it is much easier to trick someone into giving a password for a system than to spend the effort to crack the system.
In our daily lives social engineering is a bit more subtle, but even more prevalent than what we see in the movies. For example, an attacker may wait outside of a secured door, waiting for an employee to enter, and either claim a lost or forgotten badge, or simply grab the door before it closes and walk in. This is known as ‘Tailgating’, and even though most people know what this is and how to prevent it, it is in our nature to be helpful and that makes us want to help a “New Employee” that looks lost.
Almost everybody has heard about someone receiving a legitimate looking email from a service such as a bank or utility, asking you to verify your information. This technique is called phishing. Most people are savvy enough to recognize this sort of thing (Unless you really do know a Saudi Prince that wants to give you $50,000) and either ignore it or report it to the institution being fraudulently represented. Unfortunately, this type of attack is still effective and many people are tricked into giving away access to their personal information.
Another type of Social Engineering attack is called quid pro quo. This is an attack where a hacker calls random numbers at a company claiming to be from technical support. Once they find a cooperative victim, they instruct them to install malware that then gives the attacker access to the internal network.
Preventing Social Engineering attacks is difficult because prevention relies on individual knowledge of what these attacks look like. What is your company doing to prevent Social Engineering attacks?
Many companies today have policies in place that require account verification before any information is given out. This certainly helps stem the flow of unprotected information, but it is not a foolproof method.
In today’s business environment it is up to companies to properly train their employees in the countermeasures against Social Engineering, and up to the trained individual to remain vigilant in following safe practices and procedures regarding release of information.
If your company needs to protect sensitive data such as credit card information, health information, or other personally identifiable information (PII), you should also make sure you have the correct network security in place as well as protecting sensitive data at the source using strong encryption and encryption key management.