April Fools is a whole day dedicated to the art of deception. Newspapers run spoof stories, pranks are pulled and the world generally does its best to tickle its collective funny bone. For that one day, that brief 24 hours, lies and deception become funny.
That is, unless those lies and deception involve social engineering.
Malicious and insidious, social engineering targets your most valuable corporate asset: your people. Worse, because it is generally not technological in nature, it can be extremely difficult to protect against. There is no 24 hour period of grace from this security threat, and it is never funny – not even on April Fools Day.
So how can you keep social engineering attacks at bay? The best way to prepare a defense is to learn about your enemy. Let’s start by taking a look at the way this method might be used to target your organization.
Information gathering and corporate reconnaissance may be the first item on a social engineer’s agenda. Uncovering confidential data through conversations with your employees could be their true aim, or they may use simple techniques to convince your own staff to install malicious software on your system.
It is not uncommon for social engineering attacks to consist entirely of conversations. Your front desk employees are particularly vulnerable here as they are trained to respond to and facilitate external requests. Thus, a simple phone call may convince an employee to inadvertently reveal their password, with the attacker sometimes posing as IT support personnel, or simply requesting such information for software maintenance purposes.
Sometimes the information is gathered by directing unsuspecting employees to a website infected with malware. In this manner, attackers are able to covertly gather information and even gain access to your system.
Telephones are not the only weapons that a social engineer has in their arsenal. Email, fax and even regular snail mail are all other mediums that might be used to exploit vulnerabilities in your organization’s security. For example, a well crafted fax might convince your purchasing officer that a supplier has indeed changed their banking details, resulting in the attacker stealing funds from your company.
It gets more worrying when you realize that social engineers can attack your organization without having any actual human contact. USB sticks that are infected with Trojans or other malicious software can be left in places that see high employee traffic, almost ensuring they will be picked up and plugged into a computer. This will result in compromised system security.
More sophisticated attacks come in the form of social engineers using guile and deception to gain physical access to secure areas within your building. They might pretend to be employees, or even impersonate fire department officials or building inspectors. Such attacks do involve greater risk for the attacker, but the pay-off for them can also be high as they may have the opportunity to install wireless access points or key loggers that will leave you with severe security breaches.
Protecting you company against such attacks is not easy. Educating your employees to always follow your security policies, with no exceptions, is a major step towards mitigating the risk of succumbing to social engineering attacks.
But how can an attacker use social engineering against you? Surely your staff would not divulge information or willingly break with procedure? It’s actually easier to fall prey to these methods than you think. Let’s look at a simple example and you may see just how vulnerable you are.
John, a help desk employee, receives an angry call from someone claiming to be a branch manager. John is not familiar with all the company’s employees, having only been employed very recently – a fact he posted to his Facebook wall when he was celebrating his new found job.
The furious manager complains that he is unable to log in to the system and demands a new password urgently, claiming he has an urgent report to finish. John informs the manager that he will call him back as part of the company’s identity verification procedures. So far things seem OK.
The manager becomes even more aggressive, threatening to report John for any delays caused in finishing the urgent report. John panics and caves in under the pressure. After all, John is new in his job and eager to please. In this way the social engineer gains a password that gives him managerial level access to your system.
Does that sound like an unrealistic scenario? Not at all and such attacks can happen at any time.
Understand that the purpose of social engineering is to gain access to our data and networks by using our trusting human nature against us. This weapon is the art of deception and has extremely serious consequences for our network security. So never cut corners when it comes to security policies. It is only by playing by the rules that you have a chance to defend against an attacker who will relentlessly probe your armor for weak spots. Make sure you don’t let them find any.
Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!