Technology Alone Is Not Enough for Security
What is “social engineering?”
Even if you think you’ve taken every possible step to make certain your data is secure, there’s one aspect of security you may well have overlooked – exploitation of the human factor, which is also referred to as “social engineering.” In the context of IT security, this involves the psychological manipulation of people so they act in a way that allows attackers to get past technological security features, or so they share information that should be confidential. For example, rather than trying to break into a system or crack a password, an attacker would instead persuade a human user to give them a password.
What are some kinds of social engineering to watch out for?
Phishing: This is a technique of getting confidential information by fraudulent methods. It can involves attempts to acquire user names, passwords, credit card details, or even money. Phishing attempts frequently make use of the following techniques to make people more likely to share information:
● Using link shorteners or embedded links to create apparently legitimate links. After these links are clicked, they direct the victim to websites created for fraudulent purposes.
● Using threats to create a sense of urgency and fear so the victim will act quickly without thinking through their actions (e.g., “Your account will be canceled unless you act immediately!”).
Tips for preventing phishing: You and your employees should be wary of requests for information that should be confidential. Take the time to verify that these requests are legitimate before providing information.
Tailgating: Also known as “piggybacking,” this kind of attack refers to a method of entering an unattended but secured area by simply walking in behind a person who has the proper access. After gaining access to a secured area, an attacker has much easier access to unattended laptops, etc.
Tips for preventing tailgating: You and your employees need to create an atmosphere where it is not considered “common courtesy” to allow entrance to unknown people who do not have the proper security credentials. While it might seem polite to hold the door for another person, train employees to only do so if they also verify that the other person has the appropriate security card or other credential.
Quid pro quo: Quid pro quo means, “something for something.” These attacks involve a promised benefit in exchange for information. For example, a common type of attack can involve a person who makes multiple calls to phone numbers at a company, pretending to be a technical support representative calling to help with a reported problem. Odds are good that after enough calls, they’ll stumble upon a person who does, in fact, have a problem. At that point, the attacker may exploit their victim by having them install malware or otherwise give the attacker access.
Tips for preventing quid pro quo attacks: Technical support representatives should be able to provide identifying information (e.g., a ticket number for a reported issue) before you or your employees trust them with information or access. More generally, you and your employees should be wary of offers that appear “too good to be true,” and of unexpected offers to improve credit scores, financing, and so on.
Additional tips to avoid social engineering attacks
Don’t be in a hurry – Attackers want you to act before you think. When dealing with suspicious requests, remember to slow down.
Be wary of unusual emails – If an email that appears to come from a trusted source seems odd to you, that source may have been hacked. Verify the source of the email.
Educate and train your employees regularly – Make sure everyone in your company is familiar with the various types of social engineering attacks and that they know which information is considered confidential.