Social engineering is the act of coercing or manipulating people into divulging confidential information or into taking actions that allow someone to steal confidential information. This is very different from using technical hacking techniques or exploiting computer or networking weaknesses to get this information. Social engineering works on our psychology. Just think of all the ads and scams that play on people’s emotions to buy something or donate money. It uses the same thinking to steal information.
Kevin Mitnick popularized the term many years ago when he started using simple techniques to gain access to systems. Mitnick said it was a lot easier to trick someone into giving him a password than to spend a lot of time hacking into a system. This is nothing new, but more people are using these techniques to steal valuable information from businesses.
You’ve probably seen various forms of this in movies and television shows. A great example is how James Bond got into a secure aeronautics facility in Diamonds are Forever. 007 waited until he saw an employee about to enter the facility. He pretended to use his key card in the door, but actually let the other person do it. He then followed him into the building. Criminals and others trying to gain access to a building or office can do the same by using the pretense that they forgot their access card, so it’s very nice of them to let you in. Once inside, the person could steal a computer, steal documents or download data onto a USB drive.
Social engineering has proven very successful as a way for people to get inside your organization. It can be a lot easier than hacking into vulnerable computer systems. If I can steal a username and password, I can browse around a network and see what I can steal. One way that criminals take advantage of social networks is by finding employees on LinkedIn, Facebook and Twitter. It’s very easy to friend or follow someone and a potential wrong doer may find something in common that they can use to find a phone number or email address. Once they have that information, they can contact you and find a way to trick you into revealing something of value.
Unfortunately people are fooled every day by these cons because they haven’t been properly warned about social engineering. Here are some of the more common techniques:
Phishing – fraudulently obtaining private information by appearing to make a request from a legitimate business. The most common ones are sending emails from your bank asking you to verify information on your account. The hook is that if you don’t your account will be cancelled or some other dire consequence will occur. The email has a link to a fraudulent web site that asks for a password, PIN number or a number of other private pieces of information.
Diversion – you see this in movies all the time. Someone distracts a security guard and an accomplice walks into a secure area. Another variation is to pretend to be from a maintenance company or utility. You have official looking paperwork and a uniform and walk in to supposedly fix something. Once in, it’s easy to steal laptops or errant documents lying around.
Pretexting – using an invented scenario or pretext that convinces someone to divulge information or act in a way that they would not normally act. An example might be someone calls you and they say they are from IT. They need your password so they can fix a problem on your computer. They have information about you and sound legitimate, so you give them your password.
Baiting – convincing someone to attach a malware infected USB drive or load other media onto their computer. The media looks legitimate or even enticing. It might be a CD with your company logo and has a label saying 2011 Ethics Rules. Or better yet, it says Executive Salaries and Bonuses. Someone leaves it in a public place and you pick it up. All of us are curious and we plug it in to take a look. Malware runs and the attackers potentially have run of your network. Malware infected USB drives got into the Pentagon a few years ago in just this way.
Unfortunately, human behavior is always the weakest link in any security program. People don’t question you when you look like you belong. This is common when entering a building or on the phone. If someone calls you from a vendor or customer looking for information and knows enough about you and your company, you assume they are legitimate.
It’s important to train your employees to look out for social engineering scams and tricks. These techniques are constantly changing, just like with viruses and malware.
Here are a 10 measures to help prevent social engineering from compromising your information:
- Determine what information is sensitive and inform employees.
- Train employees on common social engineering techniques and how to spot them.
- Don’t reveal personal or financial information in email.
- Don’t respond to email solicitations for personal or financial information.
- Be suspicious of unsolicited phone calls, visits, or email messages from people asking about employees or other internal information.
- Don’t provide organizational information over the phone, including your computer or network structure, unless you are certain of a person’s authority to have that information.
- Verify a person’s or email’s legitimacy, if you are suspicious.
- Train employees to verify the identity of someone who requests sensitive information in person, through the phone or by email.
- Train employees to politely refuse a request for information, if they can’t verify a person’s identity.
- Test these security measures regularly. The tests should be unannounced.
If an unauthorized person compromises your network or gets into your office, you can still prevent them from stealing valuable information. Encrypting documents and important data is a way to make sure that the information is worthless even if it gets into the wrong hands. Encrypt laptop hard drives and other mobile devices and media. Use persistent protection on your documents, so that if something gets out, you can control who can use it. If a document is stolen or sent inadvertently to a social engineer, you can kill it. If someone tries to read the content, it’s useless to them. Train everyone to spot social engineering techniques and use encryption technologies to lock down your documents and data.
If you don’t, I have a nice bridge I would like you to look at.
Photo credit ViNull