Social Engineering: The Cute Fuzzy Bunny That Bites
Over 70% of IT Security breaches are a result of failure on the inside of the organization or IT infrastructure to protect important data or access to critical systems. One of the ways that the bad guys gain access is through a process called Social Engineering.
In my previous article on IT Security, we discussed several components of the CompTIA Security+ (SY0-201) exam. Social Engineering is a key element that is covered on this exam and other certification tests like CISSP.
In this article, we will examine different instances of Social Engineering and how you and your organization can defend against them.
What is Social Engineering?
Simply defined, Social Engineering is a process of exploiting trust to gain access to a facility or critical pieces of information.
Another name associated with Social Engineering is wetware, which is a hacking technique that utilizes human involvement and mentally deceptive schemes to gain access, instead of software or hardware.
Why Does Social Engineering Occur?
Human nature is a very difficult thing to explain and best left up to experts in psychology or sociology. However, there are several examples of why people feel the need to employ methods of Social Engineering to achieve unauthorized access.
Revenge against an employee or organization is a common one. The ability to damage reputations or destroy or modify important data is often a goal when it comes to revenge. As evident with many hackers today, the pure thrill of the attempt and potential success is big contributor. In the case of accessing financial assets of an organization, few things can be stronger than old fashioned greed.
Examples of Social Engineering
How does one recognize Social Engineering? Let’s look at a list of examples and then discuss a few of them in detail. Examples include:
- Shoulder Surfing
- Access Tailgating
Phishing is one of the most commonly identified methods of Social Engineering.
Phishing is a method used to obtain important personal information such as passwords, credit card numbers, etc, by using an innocently looking letter, email, or a conversation.
Phishing happens several thousands of times a day across the world and the number of attempts not only are on the increase, but also are getting more creative.
Hoaxes are self explanatory. News articles today often contain stories of various scams that individuals have devised to obtain personal information or money.
Hoaxes can be electronic in nature, described on a printed document, or an elaborate scenario used to create a situation that will allow an unauthorized person physical access to an IT facility.
Fake fire alarms, maintenance scenarios, and even hazardous chemical spills are all examples of hoaxes that have been used to allow unauthorized access for nefarious individuals.
Ever had a co-worker stand behind you as you logon to an IT system? This event may be innocent looking, but Shoulder Surfing can provide an individual with hostile intentions a great deal of information.
Passwords, personal information, and even proprietary corporate information can be obtained by this method and the perpetrators often utilize friendships or business relationships with their victims repeatedly to gain more data.
Tailgating is the act of gaining physical access to a secure facility by following a cleared individual into the facility during the same access attempt.
Infiltrators often use conversation to lull a person into trusting them for access, convince them that they have lost or forgotten their badge, or utilized a false badge that isn’t “working” for the card reader.
How Can IT Security Professionals Prevent Social Engineering Events?
There are two primary ways for IT Security Professionals to raise awareness of Social Engineering and prevent these schemes from succeeding.
The first method is education. Training for an organization’s personnel regarding their personal or computer information and understanding the rules of physical access is critical. IT users should follow the organization’s procedures regarding personal information and should never provide passwords for accounts to anyone. Organizations should conduct Information Assurance training at least once a year and smaller training classes that target specific threats should be addressed more frequently.
The next method to raise awareness is drills. IT Security Professionals should conduct drills at least quarterly that target different aspects of an organization. Phishing emails, tailgating awareness exercises, and physical access badge checks are all good examples of drills that will reinforce awareness to potential Social Engineering methods.
Social Engineering: What Have We Learned?
As you have seen over the course of this article, Social Engineering is a serious threat to integrity of an IT organization. As IT Security Professionals, one of the most important struggles we face is prevention of new and innovative attacks that threaten our IT infrastructure.
Preventing easy access to data or systems that can be gained via Social Engineering is of extreme importance and every effort should be made to raise awareness to these methods of information gathering.