With all the recent talk on ransomware and the rise of cyber attacks, we in the IT security community tend to focus on the more technical side of things — programming that is used or the software that hackers might exploit. The truth is, though, the greatest tool in a hacker’s toolkit isn’t technical at all. It’s good old-fashioned social engineering.
Social engineering, in general terms, is simply the use of sociological principles when turned on specific social problems. As a shorthand in the IT industry, however, it refers to hackers using our innate human empathy and trust for one another against us in order to create a security vulnerability they can exploit. We have a few ways your business may be vulnerable to social engineering and how to prevent against it below.
Before implementing an update to your IT security policies, it’s important to ensure you are also providing training for your employees on identifying a social engineering attack. While some social engineering attacks seem obvious and can be prevented with updated spam filters on employee email, more coordinated attacks may be more complex.
One of the most common (and most successful) examples would involve someone calling your organization posing as a potential client. They may ask probing questions, seemingly under the guise of a client researching a potential business partner, that can be used to compromise your organiation’s financial accounts, social media, or more. You may also receive calls from people posing as current employees, pretending to “forget their password” or other important information. This is even more likely if your business is known to employ several remote employees.
Let’s take a closer look at popular social engineering scams that businesses must combat each and everyday.
Enterprises of all sizes typically have a person designated to handle all incoming phone calls that require human interaction. The Toner Pirate Scam uses the classic social engineering technique of calling a receptionist and posing as the vendor that services your copiers, scanners and multifunctional devices in your office.
The scammers pressure the person answering the phone to respond to questions such as “What model printers do you have in your office?” and “Who is your accounts receivable associate?” They may even frame the questions as a “Routine audit” of the types of equipment that they have deployed.
When unsuspecting office members answer these questions, your business will begin getting nondescript invoices delivered directly to the person responsible for paying the bills in your company.
The scam is executed when the toner pirates will legitimately sell your business a toner cartridge for the model of printer that you have, however, your accounts payable person will unknowingly pay nearly $700 for a single toner that routinely costs $50-$75 through your local dealer.
With a flair for puns, social engineering experts have begun shifting their focus from “little phish” (such as mid-level associates) to target the executive leadership, which they call “whales”.
Phishing attacks are popularly used by scammers who aim to extract information out of a business via email. While phishing attacks target associates that interact with the public, whaling attacks go beyond that and directly target the executive staff in your organization.
No organization should ever rule out the possibility falling prey to the ‘whaling’ scam for one distinct reason: There’s probably a tremendous amount of public data available about your executive leadership that can be used to hijack identities through services with weak password retrieval policies in place.
Not only that, while many of your employees may be aware of social engineering tactics, executives sometimes get a pass on critical information awareness training.
Executives are more likely to sacrifice security for convenience, using unapproved devices or by asking a low-level IT employee to remove a content filter for personal internet use.
In February of 2016, SnapChat admitted in a blog post that its HR department was tricked into sending out confidential information about its employees to a person posing as an executive within the company.
SnapChat, a company that ironically touts the security of its photo sharing app, was the target of a whaling attack that put some of its employees personal information into the hands of a social engineer.
How can you prevent your business from becoming their next target?
Because of social engineering, organizations must implement stringent policies for protection and prevention. Because social engineering attacks are becoming so prevalent, it is advisable that all businesses provide some sort of training to their employees to keep them up to date on the latest social engineering tactics.
What if an executive asks your HR representative for sensitive information? What’s your organization’s policy concerning the transfer of this data?
Your organization should craft a policy concerning these very transfers such as requiring the hand delivery and signature of the person receiving the data. This type of policy helps mitigate the potential for a data leak versus providing access to a PDF that can shared with anyone.
Did you know that social engineers will sit around on the phone all day trying to scam a business? Oftentimes, they only have to be successful once in order to make enough money to make their endeavor worthwhile.
Your business should always consider using two factor authentication on all of its public facing services that require a username and password. Having a two factor authentication scheme is a must for businesses that are required to provide remote connectivity to the network.
Furthermore, it provides an additional layer of security knowing that two factors must be met before authentication is granted. Two factor authentication provides extensive audit logs which provide evidence of who, what, where, when and how parties are trying to authenticate onto your network.
There’s no offense like a good defense, and BACS Consulting Group is happy to speak with you about setting up preventative and defensive policies that will help keep your organization (and employees) secure. When we perform an IT Security Audit, we’ll take a look all throughout your system, checking for weak spots and vulnerabilities in your “security armor”. Then we’ll sit with you and take a look at the best ways to close those loopholes and keep your company safe. Reach us by phone at (650) 887-4601 or schedule your IT Security Audit online just by clicking the banner below.
Published on 19th April 2016 by James Berger.