Social Engineering – A Growing Threat to Your Data Security
As corporate data breaches continue to make headlines we look at one method hackers increasingly use to gain unauthorised access.
Social engineering is a common technique employed by hackers and cyber-con artists to profit from illegal activities. Social engineering also describes psychological manipulation by organisations, governments or individuals. However, we will be looking at social engineering in an information security context.
You have probably watched more than a few movies in which a confidence trick has been employed. You may even have been unlucky enough to have fallen victim to one. Regardless, social engineering is essentially a confidence trick, albeit it a far more elaborate and complex one.
The purpose of social engineering is to extract information such as credit card numbers, login details, identity numbers, etc. The well-known 419 scams are an example of social engineering, in that they try to trick you into transferring money to get a much larger payout. These scams are one of the least complex forms of social engineering and their purpose is to defraud their victims.
The types of social engineering that organisations need to be aware of are the ones where employees are targeted. These cyber-attacks in many cases will be aimed at gaining access to your organisation’s systems in order to steal data or to use your systems to attack an even larger target.
How Social Engineering Works
There are a few types of attack that a social engineer can employ.
Phishing is a common type of attack where the target is sent an email that appears to be from a trusted source. This email will usually contain a link or a downloadable file that contains malware or a Trojan virus. Once installed on your computer they will either give further system access or allow the social engineer to steal data for use in gaining further access, card fraud, or attacks on other systems.
Spear Phishing is a more targeted form of Phishing. The attack is adjusted according to what is known about the target individual or organisation. The type of information targeted is usually specific to that individual or organisation. Accessing client data, intellectual property, and similar data will likely be the goal.
Pretexting is based on a lie. The attacker lies about needed data such as login details or passwords in order to confirm identity or to verify an account or some such thing.
Quid Pro Quo
This type of attack is based on, ‘you scratch my back, and I’ll scratch yours.’ Here the attacker will phone, email or otherwise contact people at random and usually claim to be from tech support or IT or some such similar department. Eventually, they will find someone with an IT problem who is only too grateful to receive help. The attacker will ask for passwords, codes, remote access, or some such thing in exchange for, or in order to deliver the ‘help’.
Baiting makes use of an actual physical media device, such as a flash drive or CD/DVD to deliver malware. The bait will, of course, be placed where it can be easily found and is sure to have an enticing label. Once inserted into a computer, the malware will install and the attacker gains access.
Handling Social Engineering
Your first line of defence is awareness and knowledge. Making sure to educate your employees about cyber-security threats and the forms that take will make it easier to spot threats before that can be effective.
Other measures you can take include:
- Establish security protocols and policies regarding sensitive information
- Make use of offsite data storage and hosting that has access controls and allows only limited access to information based on employees’ posts. This way a breach will only access limited information and entry points will be more easily detected.
- Test your security at random throughout the year.
- Make sure paper documents are securely shredded by a trusted shredding company
- Store important records that do not need to be accessed regularly at an offsite document storage facility.
- Make sure leaving employees have all system access and email access revoked
- Use encrypted communication lines and ensure your company website and emails make use of security measures and strong passwords.
- Carry out regular training on cyber-attacks and social engineering techniques.
- Have a plan in place that describes all the steps to be taken should you suffer a data breach.
There can be no doubt that the digital age has brought many great advantages to organisations and life in general. Unfortunately, it has also brought a measure of risk, particularly to those who do not take the time to get familiar with the risks. Taking the time to get educated can save your organisation money and reputation.