What is social engineering? (And four defense measures.)
What is social engineering? (And four defense measures.)
In the context of IT security, social engineering is the manipulation of an employee to get them to divulge confidential information or mistakenly perform some action, usually involving the transfer of funds. Cyber criminals rely on people’s trust to get them to reveal passwords, account details, or other confidential information about their own identity, the company, their colleagues, or their customers.
Social engineering attacks can be low-tech in nature and involve the use of the telephone or unauthorized entry into a business location. Most of the time, however, attackers will use information available through social media sites like LinkedIn, Facebok and more to extrapolate data to use to make the attack appear more legitimate.
Here are the four most common types of social engineering attacks:
Baiting is the use of some alluring device, like a flash storage drive left in the parking lot of a company labeled with something intriguing like the word “payroll.” This technique exploits people’s inherent curiosity or greed by enticing them to access unauthorized information on the flash drive. In this frequently executed attack, the flash drive is inserted into the victim’s machine, which is then infected with malware. Once infected, the cyber criminals may be able to remotely snoop on the employee, gather sensitive information like user names and passwords, or leverage user and admin access to take over other parts of the company network.
Phishing is a social engineering attack that leverages email to trick the recipient into opening, clicking on, or responding to a fraudulent email that is often crafted to look legitimate. Commonly, phishing messages will incorporate the branding, and look and feel, of household names, such as large banks, online services, or other e-commerce sites. Phishing attacks use deception and manipulation to get the victim to give up confidential or private information, such as passwords or account details.
One step above this is spear phishing, which uses data mined from the victim’s social media or online presence and sends a targeted attack directly to the person. The attacker could be pretending to be the person’s boss, or a friend or family member. They use information that they know about the person to make their request appear more legitimate. Spear phishing attacks are often extremely successful.
Vishing is similar to a phishing attack, but more often leverages an unsolicited telephone call from the fraudster. With vishing, the goal is to again exploit a person’s trust and get them to give up confidential information, such as social security numbers, passwords, or account details. In more sophisticated schemes, the attacker may impersonate a governmental authority, like a tax collector, investigator, or FBI agent, and scare the victim into transferring funds to avoid prosecution or additional legal penalties.
4. Physical Breakins or Employee Tailing
Impersonating employees is a great way for criminals to gain illegal entry to an office location. Once a criminal gains physical access to a facility, additional attack opportunities unfold. This could range from the physical theft of computer hardware to the installation of malware or spying software. They could even attempt to disable other physical security measures.
Tailing employees is a common tactic. In this scenario, the criminal will dress the part, have a fake badge, and then try to gain access to a secure area by closely following a legitimate employee through a door guarded by a badge scanner. Again, the criminals are relying on people’s trust and reluctance to be rude.
Here are some measures companies can take to educate their employees and mitigate the risks from social engineering attacks.
1. Employee Cyber Security Training
Employees are the weakest link in a company’s cyber security solution. A robust cyber security awareness program educates all levels of staff on the various kinds of social engineering attacks and how to defend against them. Ongoing education and training can help build a culture of security in an organization, which is the most important line of defense.
2. Good Social Media Habits
Social media is one of the most common tools cyber criminals use in their targeted attacks. Too often, cyber criminals can effectively impersonate fellow employees or company officers, because they are able to gather several personal details from social media sites. When people share too many intimate details about their lives on social media, scammers and criminals have a much easier time impersonating them and getting others to let down their guard. A key part of employee cyber security training is educating all employees about good habits on social media.
3. Multi-factor Authentication
Whether it is a phishing or vishing attack, the most frequent target for social engineering attacks is to get an employee to give up their username and password. That’s why multi-factor authentication (MFA) is so important to implement. MFA leverages something an employee knows (like their password) and something they have (like their mobile phone). In most deployments, MFA uses an one-time code sent to the employee’s mobile phone.
With MFA in place, even if an employee is tricked into giving up their password, the cyber criminal will lack the second form of authentication (the one-time password) to break into a computer or network. The risks around passwords compromises are vastly reduced with MFA in place. Even with MFA enabled it is still important to use some caution. Newer targeted attacks will know to ask for this code, and if you enter the MFA code into a fraudulent page, the attackers will utilize that code to gain access to your account and lock you out right away.
4. Checks and Balances with the handling of company funds
In many social engineering attacks, the cyber criminals try to trick employees into wiring funds or making payments to fraudulent entities. Companies can mitigate the risk and financial losses from these scams by crafting policies and procedures which limit access to funds or bank accounts based on employee seniority. Alternatively, requiring multiple levels of approval for fund transfers, wires, ACH, or check disbursements increases the likelihood that illegitimate transactions will be caught and stopped. A telephone based approval processes for large transfers can help stop these transfers before any damage is done.
New and existing Protek clients are encouraged to talk to Michelle Lawson about their leveraging the full range of Protek’s available employee training and cyber security defense measures.
Eric is the owner and CEO of Protek Support and is a CISSP (Certified Information Systems Security Professional). He graduated from Utah State University with a Bachelors of Science degree in Business with an emphasis in Information Technology (IT). He is an IT Services expert in a variety of technology related fields. Some of these fields include document management software/hardware, enterprise level networking and VoIP phone systems, as well as large scale software implementation projects and the setup of small business networks.