The Dangers of Social Engineering
Technology has significantly changed the way companies secure their business, including their goods, data and other valuable assets. From security cameras, retinal scanners and advanced filters and processes for telephones and email, we have truly technologically secured our businesses. So why is it hackers can bypass all of this without even needing to best your security systems?
Some of the most prolific leak of data and compromises of secure systems in recent times was not because of the actual system failing, it was the humans it was protecting. Social engineering targets the employees at your organisation, taking data and information off the web to exploit your employees. Even with all of the security in the world, if your staff isn’t ready, they will allow hackers inside.
So what is Social Engineering?
Social Engineering is the practice of manipulating your staff for information or access to your systems. There are many different methods they use to achieve this but it all revolves around manipulating personal and business information to trick staff. By using these methods to manipulate your staff they can easily infiltrate your system without you even knowing it. So in order to truly guarantee the safety of your business you need to understand how they can trick your staff, and what you can do to make your employees more aware of the dangers.
What are the methods of Social Engineering?
In the modern day, the most commonly known method of social engineering is phishing emails. Everyone from business users to home users know of the dangers of a fake email. These can be from the classic “Nigerian Prince” to emails pretending to be from Facebook. However, with the correct information, these phishing emails could be impersonating your staff, your family or even business’s that you are affiliated with. By using information easily obtained via a google search, hackers can easily create credible ways of tricking you into giving information away.
Whilst email is the most modern technology to be targeted, it is not the first technology to be exploited for information. Phishing calls have been around for many years where people pretend to be from businesses affiliated with your company or yourself. These could be from someone pretending to be from your IT company or department or even from Microsoft themselves. If they are successful in their attempt at fooling you, they can request passwords, unrestricted access or sensitive information without ever having to breach your systems.
However it’s not just phishing intrusions that you have to be aware off. One of the oldest methods of social engineering is to just infiltrate your site by walking through the front door. I imagine many of you must be thinking “how? I have a receptionist and secure procedures to ensure only the correct personnel are let through!” Human error is how. Using charm, psychology and some well-known information about the business, people are able to trick your staff into letting them through. An example of this is the 2007 robbery of the ABN AMRO bank in Brussels, who used only a fake name and charm to slowly get access to valuables in the secure vault and left through the front door. Despite this being an incredibly secure bank, the staff were manipulated and allowed someone through all of their secure systems and procedures.
A final method of social engineering that someone might attempt at your organisation is one of the simplest but can also be one of the most concerning. If you have a secure system and well trained staff who are not fooled by hackers, then there is one last way in for them. The easiest way to gain access to your companies system is of course to be employed by your business. Hackers are patient and will wait, biding their time for the right time to strike. Therefore if you are a business with a high turnover that may not necessarily do strict background checks on people, as you are only employing people to maintain high numbers then you may be letting a potential hacker in. By getting legitimate access to your systems, they can use their position there to gather more information or gain access to areas they were previously unable to reach.
What can I do to stop these social engineering attacks?
As you have probably noticed, the key to all of the aforementioned methods working is human error. So how do you train your staff to limit human error, and what can you put in place to better protect your business?
Phishing emails and telephone calls are all based on bluffing based on information gathered from the business. Therefore in order to call their bluff you will need them to verify a procedure or information in order to proceed. For instance if you receive an email from “Dell” with regards to an issue with your PC you would expect the support email address to be something on the lines of Support@Dell.com. However a phishing email is more likely to look like Support@Delll.com. If you hadn’t noticed already, there is an extra L in the phishing email that can be easily missed and lead to people giving away vital information or maybe even opening links to malicious websites that infect your PC with malware. With phone calls however it can be a little more tricky. If people strike a familiarity or seem to represent BT etc. that may have a legitimate reason to contact you, then you need a particular individual delegated to deal with these dealings. By having set people responsible and set channels for suppliers to contact you on, you will have staff able to question and probe phishing phone calls to defeat their bluffs. However if there are other phishing calls attempting to gather information from your employees, it is important to implement no-names policies and limiting what your staff are allowed to disclose. By putting these procedures in place you minimise the potential risk to your organisation and add more layers of protection against human error.
Speaking of layers of protection, it is important to have multiple layers to protect against on-site intrusion. There are a few popular methods of getting into a secure method such as tailgating someone with a key to a locked location, bluffing and charming your way through or even phoning up to pretend you are from a service company coming for an inspection of sorts. To best protect your business against these threats, you will need to educate staff on how to spot people attempting to bluff their way in. For instance a key card is there for a reason, so it should be a policy that everyone needs to swipe to get into the building. Therefore there should be no reason to let someone in without a card for any reason, and they have to report to the front desk. By having this policy in place, and educating your staff of the policies implemented, means there should be no way of infiltrating in this fashion. Also by educating your staff that there are people attempting to infiltrate the business in this manner means they should be better prepared once the situation arises. To best educate them, it is recommended that you undertake a penetration test that uses all of the methods mentioned in this blog, and tests the reactions from your employees. In this test environment you can see what your business and employees may be vulnerable too, and make adjustments as recommended by the penetration testers.
Where can I get a penetration test?
Southbank IT now offers penetration testing services to test your software, infrastructure, policies and employees to see how secure your business is. Each test is designed around your requirements and security concerns, so we will only go as far as you want us too.
If you want more information on the dangers of Social Engineering or on penetration testing then why not give us a call? Our professional team would love to hear from you!