Social engineering: Clear and present danger

Although many companies in the information security industry prefer to tackle challenges with sophisticated hardware, the art of lying continues to be a towering risk difficult to deal with.

The ancient threat of social engineering is in the news all the time, often used by cybercriminals, but also by those without malicious intent. Recently, two students from Savannah State University managed to social engineer their way into Super Bowl XLVII and posted a video of their adventure online. While I’m sure that the level of security at one of the world’s biggest sport events must be impressive, weak links will always be taken advantage of.

“The formal study of social engineering as we know it today has only occurred in recent years, but it was thousands of years in the making. The underlying principles and science behind why we do what we do doesn’t change much, but the tactics employed by attackers do,” said Dale Pearson, Founder of SubliminalHacking.net.

The insecurity of an individual can become a peril for the company that employs him. Since Internet users tend to share too much of their personal information, especially on sites like Facebook, skilled liars can take advantage of the data and social engineer their way into the corporate world.

Jason Hong, CTO at Wombat Security comments: “A common tactic by an attacker is to slowly build up trust over time. For example, the attacker might call a person in an organization and using fake caller ID so that it looks like it’s from a company number. The attacker might also start out by being friendly and just asking for innocuous information at first. Over time, though, the attacker would slowly escalate, requesting more sensitive information over a period of months.”

Watch your back

With the cyber underworld executing targeted hacks in search for profit, they’re not going to try and break down the front door, they’re going to try and sneak their way in.

“Many of the most highly publicized security breaches in the past few years have been due to spear-phishing attacks, which are the most common form of social engineering attacks today. These include RSA, Epsilon, the White House, and more. The early reports about how the New York Times computer systems were hacked also suggest that spear-phishing was involved,” according to Hong.

Privacy equals protection

We should all be aware of what we post online and never give out more information than necessary. It sounds simple, but most people don’t even realize the dangers.

“When you receive an email asking you to share something or do something, consider what could be done with that information. If the email came from someone you know, is the format and the language consistent with previous exchanges? When people make request for access or information in person or on the phone, be confident enough to challenge them in a friendly and respectful way,” says Pearson.

A typical scam involves a fraudster calling the victim up and trying to get confidential information over the phone. Pearson warns: “When you receive a call from your bank, asking for seemingly viable information, take a moment to think what the person of the phone could use this information for and whether you really know who they are? Ask politely for their name, extension number and call reference and call the bank back on the number from your statement and ask to be put through to the extension of the original caller.”

Security awareness can strengthen a security policy by making people aware of the dangers. Hong agrees: “The underlying strategy and rationale for social engineering attacks is to circumvent all of the security measures in place by tricking people. For this reason, it’s critical for organizations to train people to be aware of the tactics that bad guys use, so that they can identify them and know how to react in given situations.”

Don't miss