Social Engineering is a tactic used by cyber criminals to manipulate individuals to gain confidential information such as social security number, credit card number, passwords, etc.
In the cyber security world, the weakest link in the security chain are the users, which is why people are the target when it comes to social engineering. It doesn’t matter how many security measures you have in place. You can have locks on your doors, an alarm system, the latest firewalls, and network or security monitoring tools; all it takes to hack into your network is to trick a user into clicking on a malicious link they think came from a social media site.
Understanding How Social Engineering Works
Social engineering is responsible for many of the recent major attacks, from Sony Pictures Hack to The White House. Attackers will take whatever means necessary to break into a company's network and steal information and the most successful by far is social engineering. Criminals will sometimes take weeks or even months doing researching about companies and their employees on social media like LinkedIn, Twitter, or Facebook before coming in the door.
In your workplace how often have you heard “could you hold the door please /my hands are full / I forgot my badge” even though, the individual may not seem suspicious, this is a very common tactic used in social engineering. On the phone, a social engineer might call and pretend to be a trusted person (law enforcement, co-worker, IT support, bank auditor, etc.)
4 Most Common Social Engineering Attacks
This is the most common technique use in social engineering. Phishing is a technique used to convince people to open email or attachments infected with malware. Criminals will usually start by creating a web page that looks like Outlook, Amazon, etc. They will then send a crafted email to the company without targeting a specific user. Clicking on any link in these emails will take users to a login page asking them to provide their login information. This eventually will lead to requesting credit card information or any potentially sensitive information.
For precaution, never open links or attachments that are from unknown sources. It is best to report it when in doubt. This helps reduce the risk of getting compromised and increases the level of awareness.
This is another form of social engineering where attackers pretend to be someone one else to obtain sensitive information. Pretexting can be used to create a whole new identity and then using that identity to manipulate users. For instance, a criminal may call and claim he's from the HR department, and ask you a few questions. When the criminal has the information he wants he will sell it to people who may use it to steal your company’s asset or even sue you.
This usually starts by a criminal striking up a friendly conversation to talk their way into accessing a restricted area of your business. This could be as simple as an employee opening a door and holding it open for another person to enter, without any proof that person they let in had authorization to enter.
Baiting is simply offering users something free. An attacker might offer you a free movie or music downloads. These of course, contain malicious programs. In another instance, an attacker would leave an infected USB flash drive at a public place hoping someone would pick it up and use it on their devices.
Protecting Your Business Against Social Engineering
Social engineering should be a concern for organizations of any size big or small. Therefore, prevention and education play a key role in avoiding incidents. Integrity can assist and support your organization with a customized security bundle that addresses these common threats. The goals are to minimize your risk associate with these threats, reduce the likelihood of a security breach, help your people become "protectors of information" and demonstrate due diligence on behalf of your organization related to security compliance.
Integrity's Information Security Advisor and dedicate Security Services Team are ready to assist you with:
- Ongoing Security Awareness Program - Employee Education
- Multifactor Authentication - Protecting Against Credential Theft
- Mobile Device Management - Policy Creation, Support, and Management Tools
- Advanced Management Security Monitored Compliance Reporting
Contact us for more information.