Social Engineering or How To Be a Helpful Victim
What’s the biggest threat to security on the internet? Viruses? Nope…Trojan Horses?...Guess Again! The biggest threats on the internet are people. Without education on the subject it is human nature to be vulnerable to social engineering.
Social Engineering is the use of psychological tricks to gain information. Hackers tend to use social engineering to get information that will help then gain access to a computer network.
For example:
Bob: Bob in Accounting can I help you?
Mark: Hi Bob, this is Mark in the IS Department, we have made some changes to the mail server and in the process lost your account settings. You may have noticed your email volume has been rather low today, I need to get your email address and password so that I can fix the problem.
Bob: Sure, I thought something wasn’t quite right, its bob@anyoldcompany.com and my password is b0b123.
Mark: Thanks, BOB things should be back to normal shortly.
Bob: My pleasure, thank for getting to the problem so quickly.
In reality Mark doesn’t work for the company and there is no problem with Bob’s email. Mark on the other hand has just managed to get access to a computer in the accounting department of a major corporation.
Social Engineering has existed since the beginning of time, Charlemagne used it to inspire his troops to victory, A football coach uses it to raise his players performance. Anything which plays off of human emotion can be viewed as social engineering.
Most people want to be helpful, that is both a blessing and a curse. Human nature dictates that when we do something good for someone else, we tend to feel better about ourselves. People are attracted to things that make them feel better about themselves and things that offer some sort of reward. In the modern information age this play on emotion is hacker’s best offensive weapon. In the example about Bob assumed that if he was told of a problem, there must be one, and helping a fellow worker just seemed like the right thing to do.
Why is social engineering talked about so little if it is such a big problem? Mainly this can be attributed to another human emotion…embarrassment. Most people consider social engineering as an attack on their intelligence. No one wants to be considered foolish enough to fall for a security snafu. Most people even when they are aware they have been victimized will confess to the incident. But the truth is that most of us no matter how careful we are in other aspects of security are still vulnerable to social engineering.
What Can Be Done About It?
First off, don’t be embarrassed to talk about it. Awareness is the key to protecting yourself, your friends and your employer. In a business environment the best prevention is training.
Establish a set of guidelines that explains that anyone asking for passwords or company information should be questioned. Assure employees that asking questions does not make them seem unhelpful. Put the guidelines and procedures into a written policy and make it part of new hire training along with their usual phone training. Make sure that every employee knows the policy and understands the how’s and why’s of social engineering.
Some
- When someone calls asking for information, ask what department they are with and a number to call them back. Instead of using the number provided use the listing in the company directory.
- Make sure your business or organization has a policy for dealing with sensitive documentation and its disposal.
- Background checks on all employees are always a good idea.
- Stay aware of current security issues. There a many organizations on the Internet that provide frequent updates on cyber crime, hacker activity and other security issues.
Remember, a good firewall and password policy is only part of the puzzle in keeping your company safe.