Social Engineering Means What?
Saturday, July 4, 2009 0:47
If you have never heard of the term “social engineering,” don’t feel bad. Outside of the information security field, most people have not. It is a term that means using deception to gain access to something or to obtain some type of information. In the private investigative world, it is called “pretexting,” and in the real world, it just means a con. No matter what term you use for it, it is basically exploiting human nature and people’s trust to gain access to sensitive or valuable information. It can also result in physical theft or other types of security risks beyond the issue of information security. A social engineer claims to be someone or makes themselves look like someone else so they will be trusted by a business, a group of people, or an individual. This type of con or scam can occur in person, on the phone, or through a network such as e-mail or any of the many social networking sites like Twitter or Facebook.
Could You Be a Victim?
Lets take a little test to see if you could be a victim. Read the question and decide what you would do before you look at the answer. See how many of these scams may fool you or your employees. You must answer truthfully! Go ahead and take the test; it will help make you aware of the types of scams that go on. Also, leave a comment and tell me how you did on the test!
Question: Someone calls the office and says, “This is John from tech services (either in-house or third party depending on what you use), and I was notified that you have a virus infection on your computer. I need you to access your computer, and I will walk you through correcting the problem.” As you are being walked through the guts of your computer, places you have never been, you start to get a little nervous that you may mess something up. John then says, “Don’t worry about it. Just give me your log-in information, and I will correct the situation and call you back when I have corrected it.” Would you fall for it?
Answer: It might seem low-tech to use the phone, but it is still one of the most useful ways to collect information. A lot of people fall for it because the strategy plays on the person’s fear of their computer being infected and also the fear of their lack of technical understanding of a computer. To tell the truth, I was like this before I started learning about the insides of software and computers. There are still times that I get a little nervous when I am working on a new problem or situation. When people are put in a situation in which they think there is a problem, and someone can fix it for them, they will be more likely to trust them, no matter what they are asking for.
Question: You are entering your office building, and I am carrying a bunch of stuff. I ask you to hold the door for me because I can’t get my key or access card (if the building has access control system), or I tell you I lost my key or access card. Of course, I am dressed and act like I belong. Would you let me in?
Answer: Most people do not ask other people to prove that they belong in the area, even if employees are supposed to have security badges. Also, it does not take much to fake a badge using photography and quality printing. On top of that, in most businesses, people don’t look closely at the badges to even confirm that the badges are legit.
Question: You are on Facebook, and one of your friends sends you a message saying that their car was broken into and all their credit cards and cash were stolen. Could you wire them some money? Would you wire the money?
Answer: It does not take much to steal someone’s Facebook password or to hack their account, and once this is done it takes nothing to send an instant message to your friend on Facebook requesting money. You can never be sure you are actually talking to your friend or someone else. This is not just limited to Facebook, but this type of scam can occur on almost any type of social networking site.
There are also a variety of e-mail scams including phishing scams which you can read more about in my articles “Do I Need My Boat to go Phishing” and “Phishing Update”. For the sake of time, I don’t want to repeat the information.
Most of these types of social engineering attacks are taking advantage of the trust factor. Some of these types of attacks may not be as big of an issue for smaller businesses because there may only be ten employees and one tech guy so you know everyone, but do you know all employees of a third-party company that you use for tech work or accounting, etc. Don’t feel secure, though, just because you know all your employees. These type of scams have many variations and can easily get around the employee issue. For example, if you lease an office building, it does not take much to find out who the property owner is and then act like he sent me over to correct some problem with the building. I have dealt with a variety of businesses over the years, and it usually is not more than one or two companies a year that ask me for ID to prove I am who I say I am. Most just let me in to answer the many questions I have that may include information regarding their security without ever thinking about it.
What Can Be Done?
So what can be done? Like any security issue, you cannot prevent social engineering completely. Technical or physical controls can only do so much. People or employees are the key, and awareness training, in my opinion, is one of the biggest factors in reducing the risk of these types of scams succeeding. This training needs to be on-going throughout the year. For example, provide your employees on-going updates on different types of scams and how they work. Most people find this information interesting reads (kind of like a James Bond or secret agent book), and this information helps keep the awareness level up. You could also perform social engineering tests or hire someone to do it for you. I think doing it internally and performing it on a quarterly basis would be a good idea. Make a game of it; who can think of the best scam and who will be the first to be fooled by it? Bottom line, do what you can to keep everyone on their toes and aware of the many variations of social engineering attacks or scams out there.
Related posts: