Social engineering within the context of digital security is the act of manipulating people into giving away confidential information or doing things that compromise data integrity without them realizing that they’ve been conned. It’s a big threat to enterprise data because criminals using this tactic don’t try to break into an organization’s IT systems to get what they want; instead, they go straight to the employees and prey on their weaknesses. Human behavior is not something organizations can fully control, so criminals use it to their advantage.
Your organization may have the most sophisticated protection deployed on enterprise data, but a security breach can still happen through your employees. The most alarming thing about this is that there are many ways criminals can get through people using social engineering. Here are just a few possible scenarios:
- Criminals posing as delivery people enter the premises of an organization. Once inside, they procure IDs and duplicate them to gain access to data centers and other infrastructure. These access cards come from employees who left their IDs lying around in places where they can be easily stolen.
- Criminals pretending to be IT personnel install malicious software (malware) in various computers to copy enterprise data. This is passed off as a system update, which many employees are inclined to believe because they think they’re dealing with their IT department.
- Criminals claiming to be bank representatives call employees about problems with their corporate credit card accounts. After the call, they send employees an official-looking email purporting to come from the bank. The email includes a link to a cloned site that asks for a credit card number, social security number, birthday, and other personal information necessary to access a financial account. Thinking that they’re in the bank’s official site, unsuspecting employees enter their details.
In all these scenarios, criminals don’t just appear from nowhere. For social engineering to successfully work, the ruse needs to start small, maybe even with something as simple as befriending the front desk receptionist to develop a relationship of trust. No employee is too insignificant to be ignored even when the ultimate target is higher up the hierarchy.
Criminals also take time to develop their modus operandi. They spend weeks and months studying places, observing people, and looking for vulnerable spots. This extensive preparation can culminate in a complicated scheme, but sometimes, even the simplest plan works, which is indicative of just how big the exploited security gap is.
It’s for this reason that some organizations hire social engineering experts to perform penetration tests on their on-site security to determine the weaknesses criminals can exploit. Chris Nickerson, founder of Lares, a security consultancy based in Colorado, was tapped by a retail company to get into its network and database through social engineering. He successfully completed the task by pretending to be a representative from Cisco. How, exactly, did he do it?
Nickerson bought a Cisco shirt for $4 at a thrift shop. Next, he dropped by the retail company’s office to look for an employee named Nancy. He specifically chose Nancy because he knew she wouldn’t be there – her public Twitter page said that she was dressing up to go to a horse race.
Sure enough, the receptionist told Nickerson that Nancy was not at her desk and that she might be out. He told the receptionist that he and Nancy were just exchanging text messages, and in her last text, she told him to wait because she was just getting out of a meeting. The receptionist agreed to let him stay at the reception area.
After several minutes, right around lunch time, Nickerson asked the receptionist if he could eat somewhere while waiting. He knew that there wasn’t a nearby restaurant or food establishment in the area, so as he expected, she let him in the cafeteria inside the office. When he got in, he saw that there were no guards around the premises, making the whole building accessible to him so he could do what he wanted. For the rest of his account, read Social Engineering: The Anatomy of a Hack.
But even without reading the rest of the story, it’s scary to know how easy it is for hackers to get gain access to confidential information. But it’s scarier when these hackers are not the good guys hired to test security, but the bad guys who are out to steal information.
You can’t monitor all actions of all employees at all times, but you can educate everyone – from the CEO and the board of directors down to delivery personnel and security guards – about the dangers of social engineering. Teach them to be more cautious and less trusting, especially with strangers. Also, enforce well-defined rules and processes to help curtail social engineering attempts. Going back to example earlier: if the retail company had a strongly enforced policy on waiting guests, Nickerson would not have been allowed to enter the cafeteria. Had he insisted in this hypothetical scenario, security guards would have escorted him outside.
Aside from teaching employees to be wary of strangers, you should also educate them on how to properly use technology. Practices such as keeping passwords secret, logging out accounts in shared computers, putting passwords on important documents, etc., may seem basic, but don’t take it for granted that everyone already knows them. An organization-wide training will make all employees aware of the active roles they play in enterprise security.
Training is even more important when your organization is moving to new technology. Make sure that the vendor or provider you’ve chosen for a product/service offers adequate technical support during the transition stage so that employees can quickly learn how to use it properly before they unwittingly do something that puts enterprise data at risk.
In the end, the best weapon your organization has against security threats is still awareness. An investment on high-tech security measures should be matched with an investment on training and education.
* We do product demos for Convene, and we also provide support if you have any questions about usage. We make the transition to paperless board and enterprise meetings as smooth as possible for your organization.