When IT executives think of their organizations’ IT security, they may think of the type of encryption software they’re running, the type of firewall, or the particular anti-virus they have installed. C-level executives rarely think about IT security, especially around the human element of organizations. Social engineering is, essentially, the field of “hacking” humans, and it includes a broad spectrum of malicious activity both online and in-person – vulnerabilities that can lead to significant losses.
In its simplest form, social engineering is a con game targeting the human employees of an organization to break inside. Social engineering comes in many forms and in this post, we’ll take a look at some common types. We’ll look at phishing, baiting, tailgating, pretexting, and even scareware. It is good business to understand what the risks of social engineering encompass and how they can be used against your organization. Palm Beach Software Design recommends that security and IT teams alike regularly perform penetration tests involving social engineering techniques.
At first glance, baiting may seem rather trivial and executives may think their employees would never fall victim to it. Baiting is the simple act of putting or leaving some sort of hardware, flash drive, CD, DVD, etc., somewhere where that company “troll bait” (employees) will find it. A famous case involved dropping infected hard drives around a company parking lot and waiting until unsuspecting employees plugged them into company systems. The “bait hardware” may be infected with any random assortment of malicious software and upon loading, the host system is infected. Unfortunately, studies show that people are extremely likely to plug in a random flash drive they have found to see what it contains.
Another form of baiting happens online when “baiters” lure victims with the promise of an item or good, like offers of users free music or movie downloads, if they surrender their login credentials to a certain site. Baiting is essentially the modern day “Trojan horse” and can easily be the “silent” killer of an organization’s system.
Phishing is a more common social engineering technique. Phishing is the activity of defrauding an online account holder of financial information by posing as a legitimate company. Phishing is fraudulently obtaining personal information, such as names, addresses, and social security numbers, usually via email. Phishing often incorporates threats, fear, and a sense of urgency in an attempt to manipulate the user into acting immediately. Most people are familiar with the classic Nigerian Prince phishing scheme, where the sender claims to be a prince who needs you to send money or information, but phishing can be much more subtle.
Phishing emails attempt to get users to share private information or click a link to the malicious software. When a specific organization or person is targeted, this is known as “spear phishing” and these emails always appear to be from a trusted source. A recent, sophisticated phishing scheme involves sending emails to accounting departments, purportedly from the CEO, CFO or president of the company instructing accounting employees to transfer or wire money to an included account number. Good email practices and information security are the best countermeasures to a majority of phishing attacks.
Tailgating and Scareware
Tailgating or “piggybacking,” and scareware are often overlooked methods that can pose a serious threat to any business. Tailgating is the simple method of walking behind someone through a gate or door that requires some sort of key, like RFID, for example. A real world example of this is driving behind someone through a gated community or unmanned company security gate, getting in on their “key” or “code”. Tailgating is an easily exploited vector because employees often want to be polite and let people through the door with them, or are reluctant, or unable, to confront people who scoot in behind them without permission.
Scareware is the technique of using malware, which tricks the user into thinking their machine or software is broken or infected, then offering to “fix” it. The machine is then actually infected with malicious software or private information is illegally taken from the machine. Scareware programs often generate pop-ups that resemble Windows system messages and warn the user that viruses or other problems have been detected.
Finally, pretexting could simply be summed up as telling tall tales or lying to get what the scammer wants. Specifically, pretexting is a social engineering strategy where attackers create a fictitious scenario, a pretext, that sounds entirely realistic, in order to steal personal information. These types of attacks commonly utilize public information to create a plausible situation which tricks victims into believing they are talking to the bank, a credit card company or the IRS.
Company employees have fallen for this when outside IT services auditor impersonators claimed to be working in a facility at night when the employees wouldn’t be “inconvenienced” by their security checks and new security installations. Another scenario involves scammers representing that they are from the company’s large IT department, and the information is needed to upgrade or update a system. As with phishing, attackers will often create some form of panic to decrease the probability of victims questioning the attackers’ authenticity. The key to any successful pretexting is the victim’s lack of verification of the attacker’s credentials.
Social engineering should be considered at every level of your organization and measures against it are just as valuable as any other aspect of corporate security. Awareness of these various techniques is the first step to making sure these attacks fail. The next time you’re chatting with your IT professionals, request that penetration tests be run against these “social engineering” methods to truly test your system and assess the vulnerability of the corporation.
Palm Beach Software Design is a top-notch business software development firm with 30 years of experience designing and developing custom solutions for businesses up to $75M in sales. We can be reached at 561-572-0233, www.palmbeachsoftware.com