By Peter Davey
Social engineering is the art of obtaining confidential information by exploiting human psychology. This is nothing new, but more and more people are using it to steal valuable information from businesses. The easiest technique to use in social engineering is a diversion. We’ve all seen this in movies. Someone diverts a security guard’s attention and the bad guy slips into a building.
Rather than hacking into vulnerable computer systems, people use deception to reach their goals. For example, I might call someone in a company and say I’m from their IT group. I need their password so that I can fix a problem with their computer. If the person thinks I’m legitimate, they might give it to me. Once I have it, I can steal valuable information.
Social engineering has proven very successful as a way for criminals to get inside your organization. If I have a password, I can browse around a network and see what I can find of value. Another great scam is to approach an employee as they are entering a building. You draft behind them and walk in. The pretense is that you forgot your access card at your desk, so it’s very nice of them to let you in. Once inside, you could steal documents, download data or steal a laptop.
Criminals could take weeks or months researching how to get in the door. A common way is to find employees on LinkedIn or Facebook. Some people put phone numbers and email addresses in their profiles and enough other information that makes it easy to contact them. From there it’s a matter of finding an angle and trying to dupe the employee into giving something away of value.
People are fooled every day by these cons because they haven’t been properly warned about social engineers. Unfortunately, human behavior is always the weakest link in any security program. People don’t question you when you look like you belong. This is a common approach to entering a building or office. It’s also the same on the phone. If someone calls you from a vendor or customer looking for information and knows enough about that company, you assume they are legitimate.
Social engineering tricks are always evolving and it’s important to train your employees. Just like with viruses and phishing scams, these techniques always change.
Here are a few tips to avoid becoming a victim:
Be suspicious of unsolicited phone calls, visits, or email messages from people asking about employees or other internal information.
Don’t provide personal or organizational information, including your structure or networks, unless you are certain of a person’s authority to have that information.
Don’t reveal personal or financial information in email and don’t respond to email solicitations for this information.
Don’t send sensitive information over the Internet before checking a website’s security.
If you are unsure of an email’s legitimacy, contact the company directly to verify it.
Persistent Document Security
Everyone thinks that the biggest threat to your information security is from hackers using technology, but a lot of it is human vulnerabilities and mistakes. Technology can make a big difference and it’s important to use persistent protection on your documents, so that if something gets out, you can control who can use it. If a document is stolen or sent inadvertently to a social engineer, you can kill it. If someone tries to read the content, it’s useless to them, since encryption makes it look like random characters. Train your people to look out for social engineering techniques and remember if it looks too good to be true, it probably is.