This article by AJ Thompson, CCO, first appeared in CV Magazine
So, you’ve got best of breed when it comes to network security and your building’s security has a state-of-the-art access system. However, even though you may have invested in the technology, a social engineering attack could bypass all of these defences within minutes. For example, if a fire safety inspector requests access to your building- you’re legally required to do so in order for them to do their job. They ask a lot of questions, they take electrical readings at various wall outlets and they examine wiring under desks.
The problem is in this case, they’re really security consultants doing a social engineering security assessment and grabbing access cards, installing keystroke loggers, and generally getting away with as much of your business’ private information as possible.
Social engineers and criminals who take advantage of human behaviour to pull off a scam such as this, aren’t worried about a badge system. They will simply walk right in and confidently ask for access. Even the best of breed network systems won’t mean much if your users are tricked into clicking on a malicious link or attachment that they think was sent from a Facebook friend or a colleague. These are some of the methods that criminals and security consultants use every day with great success.
Social engineering is essentially the art of gaining access to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques. For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password.
Social engineering has proven to be a very successful way criminals to get inside your organisation. Once a social engineer has a trusted employee password, he can simply log in and snoop around for sensitive data. Other scams include tricking employees out of their access cards or codes in order to physically get inside a facility, whether to access data, steal assets, or even to harm people. If social engineers have limited time within the building, they may connect a wireless access point and router to a meeting room network point or under someone’s desk. They can then leave the building and take as much time as they like, snooping on the data that is being transmitted to them outside of the building.
Criminals will often take weeks if not months getting to know an organisation. Preparation might include finding a company phone list or org chart and researching employees on social networking sites like LinkedIn or Facebook. In these days of social sharing, this makes it very easy to profile targets.
People are fooled every day by these tactics because they haven’t been adequately warned about social engineers. Human behaviour is always the weakest link in any security program. Without the proper education, most employees won’t recognise a social engineer’s tricks because they are often very sophisticated.
Social engineers use a number of psychological tactics on unsuspecting victims. Successful social engineers are confident and in control of the conversation. They simply act like they belong in a facility and their confidence and body posture puts others at ease.
– Social engineers may proactively approach people and draw attention to themselves using humour to create trust.
– Many social engineering scams online take advantage of both human fear and curiosity. Emails or instant messages that are specifically targeted at you are often impossible to resist if you aren’t aware it is simply a social engineer, looking to trap you into clicking on a bad link.
– Successful phishing attacks often warn you that your bank account has been breached and you need to take immediate action, playing to a person’s concerns about money being taken or a negative impact on their credit score.
Awareness is the number one defensive measure against social engineers and criminals. Employees need to be aware that social engineering exists and also aware of the tactics most commonly used.
Fortunately, social engineering awareness lends itself to storytelling. And stories are much easier to understand and much more interesting than explanations of technical flaws.
Social engineering tricks are always evolving, and awareness training has to be kept fresh and up to date. For example, as social networking sites grow and evolve, so do the scams social engineers try to use there.
It’s also important to remember that it isn’t just the average employee who needs to be aware of social engineering. Evidence from a number of security assessments have shown that executives are often the easiest targets. They are soft targets for many reasons, including a lax security attitude and their tendency to use the latest technology.
There are a number of specialised vendors offering tools to help conduct security awareness training, but it’s important to recognise that tools can help measure and deliver this awareness training. You will still need to build an effective content strategy for the overall program and ensure that this is kept up to date.