Social engineering is the term for the act of tricking someone into performing actions they would not otherwise perform often times it involves the divulging of sensitive information. Social engineering plays on people’s desires to be helpful or to comply with requests that seem to be coming from an authoritative source. Social engineering can often be used to defeat expensive and elaborate information security programs so it is important to educate your employees about the risks of social engineering to help keep your business secure.
Social engineering can take many forms including:
Physical Social Engineering – Involves a direct personal interaction where the perpetrator engages the target directly. Physical social engineering still occurs but is riskier to the individual attempting it because there is an increased chance of being identified and caught for the incident. Examples of physical social engineering include:
- Attempting to gain unauthorized access to a building by getting someone to hold a door, tagging along behind them, or the flashing of a fake badge credential
- Impersonating authorized personnel like cleaning staff, electricians or other service professionals to gain access to areas that are off limits.
- A wide variety of other actions including asking someone to disclose a password, access a file on a USB drive, access a system or perform other actions that are intended to aid the attackers cause.
Telephone Based Social Engineering – Telephone based social engineering is a widely used method that helps the perpetrator gain needed information while minimizing the risk of being identified in comparison to physical social engineering. Examples of telephone based social engineering include:
- Impersonating the help desk via telephone and dialing users in an attempt to acquire sensitive information (such as user names and passwords or system configuration information)
- Impersonating business executives via the telephone and calling the help desk in an attempt to acquire sensitive information (such as user names and passwords or system configuration information)
Computer Based Social Engineering – Has become the dominant form of social engineering taking place today. Computer related correspondence is much harder to trace compared to personal or telephone based contacts and that anonymity makes it an attractive attack venue for social engineers. Examples include:
- Email based phishing attempts that trick a user into clicking on a malicious link or disclosing a password
- Internet sites set up to take advantage of mistyped names of prominent web sites
- Social media based interactions attempting to gain access to personal information
Top 10 social engineering tips to help educate your employees and protect your business
10. Anyone can be targeted for a social engineering attempt and those that are most confident in their abilities to spot an attempt often end up a victim. Hubris is deadly so always have humility and use your best judgement to avoid falling for a scam.
9. The most common risk for physical social engineering is piggybacking into a facility. A social engineer attempting to piggyback will wait until someone with valid building access opens the door and then seeks to tag along the person. Teach your employees to always ask for a valid idea before letting someone in behind them and audit for compliance.
8. Just because an email appears to be coming from a trusted friend or co-worker you know does not mean you actually know the sender. If the request is out of the ordinary and seems suspicious follow-up with a phone call to make sure it is legitimate. A high profile information security company recently failed to do this and suffered disastrous consequences as a result.
7. Determined social engineers do their homework. They perform a lot of due diligence on the Internet and will be equipped with knowledge to aid in their goal of tricking you. They will know executive names, titles etc.. but that doesn’t make their request any more legitimate only harder to detect.
6. Be very suspicious of emails requesting password information or validations that are required immediately. These are typical tactics of spearfishing social engineer attempts and you must teach your employees to avoid these scams.
5. Practice the “Need to Know” principle. Just because an individual asks for certain information does not mean they require it so all requests should be evaluated based on the need to know principle. Teach your employees to ask “Does this individual making the request really have a legitimate need to know this information?”
4. Avoid using USB and other media devices that have unknown sources. This is a common method for social engineers to gain a foothold into an organization through a malicious executable file and it is avoidable by educating your employees about the threat.
3. Regularly remind employees about the dangers of social engineering to your business and provide real life examples.
2. Set up a process so your employees can report social engineering attempts that occur. It is important to measure the threats your business faces and determine if any patterns can be detected to help minimize your long term risk.
1. Trust your instincts but also reference established policies. Many social engineering victims will often mention something seemed out of place but they went along with the request anyway out of the desire to be helpful. Train your employees in the proper procedures you want them to follow and perform audits to validate that the procedures are being followed.
Social engineering is the most difficult threat to protect your company from because it requires that all of your employees become active participants to stay secure. Follow these tips and make social engineering awareness part of your regular information security awareness program.