Defense in depth. Layered Security. These are common terms touted in Cyber and Information Systems Security. While one can deploy the most technologically advanced security feature, one cannot ignore the importance of the human element. Your users, your staff, your colleagues in your business. In a word, its called Social Engineering.
Social Engineering can be seen as an art-form. The art of manipulating individuals to take certain actions or divulge private, secure information. Social engineers are a special breed of hackers who skip the hassle of writing code and go straight for the weakest link in your security defenses – your users themselves. A phone call, a simple disguise or a casual email may be all it takes to gain access, despite having all the necessary technological measures in place.
Here are just a few examples of how social engineers work:
Email Spoofing: Presenting an email, which seems to be sent from someone else. Anyone with a little technical know-how can send up an email program to send as “president@company.com”. Using this email and some other information obtained from a shipping address, contact detail or even personal data obtained from social networks, one can quickly pen an email with urgency and fear in a request for classified information. Imagine if any of your co-workers to receive an email from your boss requesting for them to email him a copy of the file stored on the file server. Would they do it? What precautions will they take to ensure the request is legitimate?
Telephone Spoofing: Similar to email spoofing but this time over the telephone. Posing as IT Support, a Government Official or even a customer, the hacker could quickly manipulate your co-working into changing a password or giving out restricted information. These hackers are using very persuasive, even using background sound effects like a crying baby or call-center noise to trigger empathy or trust.
In-Person Spoofing: A delivery man in uniform gets past most people without question, so does a repairman. The social engineer can quickly then move into sensitive areas of your business. Once inside, they essentially become invisible, free to install network listening devices, read a Post-it note with a password on it, or tamper with your business in other ways.
It is impossible to predict when, where or how a social engineer will strike. The attacks listed above aren’t particularly sophisticated, but they are extremely effective. Your staff and co-workers have all been trained to be helpful, but this can also be a weakness.
What can you do to protect you and your business?
Recognize that not all of your employees are at the same level of interaction with external people. The front desk receptionist taking calls would be at a higher risk than the factory work working on the production line. However, understand that they all have access to different levels of sensitive, restricted data and as such, could be a target for any social engineer.
The best method of combating social engineering attempts would be User Security Awareness Training. Make it a quarterly or monthly effort to keep your staff and co-workers updates on the different level of risks identified, focusing on responding to the types of scenarios they might find themselves in and even provide examples of social engineering attempts that might have been shared in the media. It will take some effort to arm all your staff and co-workers with sufficient knowledge to combat social engineering attempts, however, the potential dangers of social engineering are too dangerous to taken lightly.
ManagedIT.SG is an IT Support, IT Solutioning and Managed IT Service Provider specializing in serving Small Businesses in Singapore. Call us at +65 6748 8776 and let us manage your Small Business IT today!