Protect your company from social engineering
What you need to know about this most insidious of security attacks
CSO - You've got all the bells and whistles when it comes to network firewalls and your building's security has a state-of-the-art access system. You've invested in the technology. But what about the staff?Social engineers, or criminals who take advantage of human behavior to pull of a scam, aren't worried about a badge system. They will just walk right in and confidently ask someone to help them get inside. And that firewall? It won't mean much if your users are tricked into clicking on a malicious link they think came from a Facebook friend.
In this guide, we outline the common tactics social engineers often use, and give you tips on how to ensure your staff is on guard.
What is social engineering?
Social engineering is essentially the art of gaining access to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques. For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password.
Famous hacker Kevin Mitnick helped popularize the term 'social engineering' in the '90s, although the idea and many of the techniques have been around as long as there have been scam artists of any sort.
How is my company at risk?
Social engineering has proven to be a very successful way for a criminal to "get inside" your organization. In the example given above, once a social engineer has a trusted employee's password, he can simply log in and snoop around for sensitive data. Another try might be to scam someone out of an access card or code in order to physically get inside a facility, whether to access data, steal assets, or even to harm people.
Chris Nickerson, founder of Lares, a Colorado-based security consultancy, conducts 'red team testing' for clients using social engineering techniques to see where a company is vulnerable. Nickerson detailed for CSO how easy it is to get inside a building without question.
In one penetration test, Nickerson used current events, public information available on social network sites, and a $4 Cisco shirt he purchased at a thrift store to prepare for his illegal entry. The shirt helped him convince building reception and other employees that he was a Cisco employee on a technical support visit. Once inside, he was able to give his other team members illegal entry as well. He also managed to drop several malware-laden USBs and hack into the company's network, all within sight of other employees. Read Anatomy of a Hack to follow Nickerson through this exercise.
- Step Out of the Bull's-Eye Learn about the evolution of targeted attacks, the latest in security intelligence, and strategic steps to keep your business safe.
- Using Cyber Insurance and Cybercrime Data to Limit Your Business Risk This paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk intelligence, and how to use this...
- 5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- What Does it Take to Deliver a Superior Customer Experience? The Two Top-Rated Online Retailers, B&H Photo and Crutchfield Electronics, Share Their Secrets Discuss practical CX tools and service methods such as contact center agents and the use of realtime speech analytics to help contact center... All Cybercrime and Hacking White Papers | Webcasts