How To Protect Your Business (And Yourself) From Social Engineering
Contents
As much as apps are just a different way of conceptualizing traditional software, social engineering is the modern take on old-school confidence schemes. The core premise is the same; the attacker represents themselves as someone they are not to gain the trust of someone who then hands over access or materials that the attacker is not supposed to have.
What exactly is social engineering?
“A type of confidence trick for the purpose of information gathering, fraud, or system access, it…” – Wikipedia
In terms of the threat to your business, the greatest risk from social engineering is of an employee being duped by a con man and giving them access to critical data, or even to your financial resources.
Attackers generally do this by having enough inside, specialized knowledge of your business workings and industry to pass themselves off as legitimate employees, clients or government officials. They may deploy their attacks by using sensitive data that was stolen from an outside source, like an employee’s social security number or the personal address book of an executive. Some social engineering hacks are frighteningly simplistic, though, requiring only a minimal amount of communication between the attacker and your staff to give the hacker access to critical resources.
Cold Calling / Emailing
Though social engineers usually prefer to go in with some sort of inside information that will make them appear legitimate, it’s possible to execute these attacks knowing absolutely nothing about your company or the people in it whatsoever.
An example of a particularly brazen scam that requires no internal knowledge whatsoever is to dial various numbers throughout the company in sequence, pretending to be from a managed IT company or equipment maintenance department returning a call about a technical support issue. Most employees will shrug the call off as a wrong number, but eventually the scammer may hit someone who actually is having an issue with their computers or equipment. Believing the call to be legitimate, the employee may then provide login credentials, pass files or allow the scammer to remotely install malware.
Another simplistic attack is to “spoof” an email address so that it appears to belong to someone in the company, then send out a mass email in the hopes of baiting a respondent into installing malware or revealing sensitive information.
The Personal Touch
As mentioned above, while social engineers employ indiscriminate blanket approaches such as the ones mentioned above, they much prefer to obtain some smaller amount of sensitive information from a company employee first and use that as a pretext to gain greater access.
Social engineers love to attack services that use known security protocols and are usually relatively poorly secured by the account owners. These include mobile phones, web-based email accounts like Gmail, and cloud file storage services. Determined attackers can use a variety of tricks to get access to an employee’s personal account, usually by convincing the service to reset the password for them. Once inside, the attacker can use both the account and the contents of it to further establish misplaced trust with other people in the company.
Good password hygiene (not reusing passwords between services, using long passwords with a mix of numbers and symbols) and two factor authentication are definitely good security practices that should be put in place to deter hacking. However, the most common vulnerability to a social engineering attack is a lax password reset policy, which can step the attacker right around all these measures. Internal policies should be reviewed, and employees should also be encouraged to review the reset policies of their own various personal accounts for both their own personal security and the security of the business data they handle.
“Executives ‘get it’ right away,” says Wombat Security president and CEO Joe Ferrara, about awareness training. “The people who are harder to convince are…the die-hard technologists who don’t want to leave [anything] in the hands of the user.” – Dark Reading
Internal security and identification protocols also should be reviewed in light of these methods, and employees trained as to what types of data are critical and what specific criteria must be met before it is considered appropriate to grant access to it.
