We often talk about unauthorized people “hacking” into computer systems, accounts, networks, and electronic devices. What may be surprising to you is that usually there’s no real “hacking” involved. Sometimes these people gain access to their victim’s systems through human interaction via a process known as social engineering.
What is Social Engineering?
“Social engineering”, when used in an information technology context, refers to psychological manipulationof people into performing actions or divulging confidential information. A type ofconfidence trick for the purpose of information gathering, fraud, or system access. Social engineering is used by unscrupulous people to gather information about their target and use it as leverage for gaining access to your data, systems, devices or other sensitive materials. There are many types of social engineering. Some of the more common types are “phishing” and ”baiting”.
Phishing is an attempt to gain sensitive information, such as credit cards or usernames and passwords. The most common phishing attempts are executed through well-crafted emails that appear to be from a trustworthy source. These emails usually try to entice users into clicking on a link that takes them to a seemingly legitimate website prompting for a “password” or “confirmation” of some other type of sensitive information. When the end user enters their password, the information is then transmitted to the sender of the email where it is then used for nefarious activity. These are usually sent by mass email or social media, essentially throwing a lure in front of as many people as possible and waiting for those few who are still willing to bite, hence the term “Phishing”. Targeted Phishing campaigns have increased recently which are designed for a specific group, company, or organization.
Baiting is exactly what it sounds like. Baiting involves leaving electronic media such as thumb drives, CDs or DVDs, SD cards, etc. in common areas such as break rooms or parking lots. The media contain tools used by hackers to record and transmit passwords and other information back to them. These are usually key-loggers or Trojan horse type programs. They depend on natural human curiosity to work. An employee finds the thumb drive, CD, etc. and takes it inside and inserts it into their computer. Once inserted, it installs these nefarious applications and your data is then transmitted to the criminals. This type of targeted attack can be amazingly effective as most end users see these devices as merely a hardware device. You can read more about baiting here: Social Engineering, the USB Way A credit union was concerned about the security of its network and hired a security company to determine where it could improve. 20 random, cheap thumb drives were loaded with keylogging software and simply distributed around the building as if they’d been simply dropped and forgotten. Of those 20 devices, 15 were found by employees. Of those 15 a full 100% were immediately taken back inside and plugged into company computers which automatically ran the software and started to report back to the security company along with screenshots, passwords, etc.
Phishing Calls have become more popular now that just about everyone has a phone with them at all times. Recently I had a call on my cell and then again few days later from “Sam” with “Your IT support team”. They noticed an “error and wanted to check it out before I noticed an issue”. If I would give them my windows user name and password they would get right on it so “ I would not notice any interruption in service”. Familiar with this particular scam, I flat out asked the foreign sounding guy on the other line, “how many people fall for this?” Sadly, I suspect hundreds or thousands do. By the way, I then asked him to hold while I connected him to the local FBI field office…. Click!
Beyond the common means of exploitation that we mentioned above, are many other avenues of gaining access to you and what you know. In today’s social media obsessed society, information about you and what you are interested is readily available. That data can be used to create familiarity and can be used to gain your trust or trust of those around you for nefarious reasons. Limiting such data on Facebook, Linked In, Twitter, Tumblr and others will make it harder for bad guys to identify easy means of access to you. Limiting who can see your specific posts is key in managing your online footprint.
How can you protect against Social Engineering?
The best way to prevent your employees from falling victim to social engineering boils down to one word: EDUCATION. Warn them about possible threats. Tell them to be wary of emails asking for password information. Make sure they know to not plug any sort of devices into their computers that they themselves do not own and/or know for certain to be safe. Don’t give anyone over the phone sensitive data unless they are a VERFIED trusted source. Perform frequent checks to see which of your employees may need more education on these dangers in order to protect themselves and your company from identity or data theft. There are a variety of ways to identify employees who may need more training and to provide that training. We at F1 Solutions can provide a wide array of services to assist you in making sure your employees are less likely to fall victim to social engineering and expose your company to data theft as a result.
We provide the services of highly skilled security specialists to assist you in identifying those trouble spots and can help you to develop a plan to tighten your security and make sure your employees and company assets are protected. Simply contact Jennifer or Shawn to take the first step toward ensuring you are safe, secure, and protected by the highly skilled professionals at F1 Solutions.
An interesting read would be: Social Engineering: The Art of Human Hacking