Hackers have more tools at their disposal and tricks up their sleeves than ever before, but physical and logical controls are also improving. This means that a lot of the time when breaches occur, they do so because of social engineering.
Social engineering is a term used in the information security community that basically means using old-fashioned trickery or “conning” somebody. It’s using con-man techniques to convince a person at the other end of a phone call, e-mail, text message or Facebook chat that the hacker is someone they can trust. According to Verizon’s 2011 Data Breach Investigations Report, about one out of every 10 security breaches is accomplished through social tactics.
Social engineering is important for businesses to understand because it often involves “human error” which can be difficult to plan for. No matter how much money is poured into a company’s network security, if an employee is fooled by a social engineering attack, that security will count for nothing. The key here is training: regular meetings, workshops and seminars for employees will reduce the danger of social attacks.
Here are the top six social engineering techniques most commonly used by hackers:
1. “Urgent Request - Your Verification Is Needed” The phishing e-mail is one of the most popular types of social attacks because it’s easy and low risk to carry out. Here's how tell if you’re being phished: First, legitimate banks and credit card companies won’t send you e-mails that ask you to verify or correct account information via e-mail. Otherwise it can be very difficult to tell if the e-mail is a phishing scam. Thanks to readily available crimeware kits, almost anyone can create a sophisticated and realistic looking e-mail from a bank, credit card company, store or government agency. The only way to stay safe is to call the company directly or go to the Web site.
2. “Why Are You Tagged In This Video?” - Social networks like Facebook, LinkedIn and Twitter provide ideal venues for hackers to infiltrate companies by catching employees off guard. Clickjacking is a common trick to lure victims into downloading malicious software, but “friending” a person to solicit sensitive information from them is an equally effective strategy. About a year ago, a fake woman named “Robin Sage” was able to friend a number of high-ranking officials in the U.S. government and military.
3. “Hi, I’m from IT and You’re Infected” Believe it or not, one of the easiest ways to infiltrate a company is to simply call employees, claim to be from the IT department, Web host or a security company, and tell them you’ve found an infection on their computer and need their help to remove it. The scam works best if there’s a big security incident making headlines. When the removal process gets too complicated for the employee, the scammer offers to do it himself--all he needs is the password and account information.
4. "Can I Borrow Your Password?” Employee-on-employee social engineering is not uncommon either. According to Verizon’s 2011 security study, up to 17% of data breaches are committed by company insiders. Employees are more susceptible to social attacks that come from their peers. Unhappy employees can use this strategy to gain unauthorized access to corporate information or networks.
5. “Our Billing Is Out of Date” By pretending to be a vendor or service provider who needs to update the accounting information a hacker can gain administrator passwords quite easily.
6. The Innocuous Thumbdrive Conferences and trade shows can be a hot zone for hackers. One clever ploy that often works is to leave an infected thumbdrive or CD with an intriguing label (“bikini photos,” for instance) on a table and wait for an unsuspecting victim to take the bait. As soon as the thumbdrive or CD is inserted into the laptop or computer, voila: a Trojan or spyware may be installed.
The key point to remember is that social engineering is a persistent threat and there’s no way to secure a company or organization from it entirely. The only way to reduce the risk is to train employees - provide regular training in basic IT security and teach them what to look for in social engineering.
By educating its personnel, and continually reminding them about the threats, a company can greatly reduce its risk of human error.
Michael Gregg, CISSP, CISA, CISM, is an ethical hacker, cybersecurity consultant to companies and government agencies, and the author of over a dozen IT security books. A well-known speaker and security trainer, Mr. Gregg is COO ofSuperior Solutions, Inc. in Houston, Texas.