Social engineering is an amorphous subject. In essence, the idea is to coerce someone into giving you information and\/or access that, by all accounts, you shouldn\u2019t have. However, the ways that social engineers can maliciously get anything from credit card information to usernames and passwords is almost infinite.<\/p>\n
And why not use this method? If I had the choice between breaking a door down, or having someone from inside opening it for me, I can assure you it wouldn\u2019t take me long to decide which one to pick. Social engineering in many cases can be easier than trying to break into a system, and could leave the hacker with less fingerprints on the proverbial door-knob. Likely, most people are at this point familiar with Mat Hunan\u2019s story from Wired Magazine. In just half an hour he had all his passwords changed, his phone, tablet, and macbook wiped, as well as his Google account deleted. Goodbye baby pictures of his daughter, and extensive contact list (among many other things). All this because the hacker liked Hunan\u2019s Twitter handle, and wanted to get into the account. The social engineer was able to do this by calling up the support lines of both Apple and Amazon, and gathering enough info from one rep to call the other and get a temporary password sent. Once he was in, he locked Hunan out, and proceeded to completely destroy his online presence.<\/p>\n
Other examples of social engineering<\/a> tactics can include simple things like a man dressed as a UPS worker standing outside an office, looking for help with the door. An email designed to look like a large (and trusted) company explains that there\u2019s some security trouble, and needs you to follow this link and enter your username and password so you can change it and keep your information secure. \u00a0A virus-laden USB drive left around the office, waiting for the first unsuspecting worker to plug it into their computer so they might find the owner in order to return it.<\/p>\n If there are so many tricks and tactics used by social engineers to get this information, why aren\u2019t people more aware of the risks? A fundamental issue as illustrated by Bruce Schneier in the TedTalks lecture Bruce Schneier: The Security Mirage, is that security is split into Feeling and Reality. Feeling secure and being secure are two different aspects of the same concept, and this oftentimes is the gap that social engineers sneak through. If someone dressed as a police officer or an auditor walks up to you, there\u2019s an inherent feeling of safety and security. I spoke with Steve Aiello, Sr. Systems Engineer, CISSP at Online Tech, who explained to me that \u2018security is a mindset. It\u2019s important to look at each situation before giving information and wonder \u2018What is the motivation behind this? Why do they need this information?\u2019<\/p>\n He went on to talk about specific examples of instances when hackers had attempted to get information from him. \u201cPeople used to contact me all the time offering jobs. They would explain this great opportunity and spend some time with me on the phone. Then they would send me an application that requested information like my social security number. Simply doing some research on the company I found that they weren\u2019t a real business, and told them I wouldn\u2019t give them any information. They can be really patient too, I remember him spending a lot of time on the phone trying to convince me.\u201d<\/p>\n Asking yourself why someone needs the information they\u2019re asking from you is one of the simplest ways to catch some of these threats. There should be no reason that anyone would need your login credentials. So if someone\u2019s asking, you need to wonder why. Also, be aware of what the information you\u2019re giving out can potentially do. What can someone do if they know your email address? Your home address? Your phone number? It might not be as obvious as \u2018give me your bank account number\u2019, but with just a few details and a little research it won\u2019t be hard for a social engineer to get everything they need.<\/p>\n Steve also explained some other measures you can take<\/a> to keep yourself and your business as safe as possible: \u2018Nothing can fully prevent social engineering from happening. Antivirus is useless if you\u2019re a specific target because they\u2019ll get their information from people. That\u2019s why it\u2019s so important to train your employees. You need to have very specific processes, and they need to be followed exactly. Also, the workers need to know that they have support from their superiors. I always say if a client is upset because of a process that we have in place, and that makes one of our support individuals uncomfortable, let me talk to them. I\u2019ll back them up so they know it\u2019s okay to push back on those clients. I usually get on the phone and explain that the process is in place for their safety, not to be inconvenient. Getting that backup means I have a better chance that they\u2019re going to follow that process, and keep our center more secure.\u2019<\/p>\n In a world of \u2018the customer is always right\u2019, this is something that needs a little more focus. A customer service individual might get nervous when the person on the other end of the line starts getting upset, and could potentially bend or break the rules to make them happy. After all, their entire job is to help give the customer what they want or need, and to have them leave feeling that they had a good experience. Knowing that they can say no when appropriate can keep a business safer.<\/p>\n It\u2019s also important to make sure the staff understands not just what processes are in place, but why they are. Understanding the reason behind a rule is going to make them less likely to break that rule when put in a bad situation. Much like having a supervisor back them up, a reason for the process gives the worker\u2019s action (or inaction) weight and validity, instead of that \u2018why am I even doing this\u2019 feeling. If something doesn\u2019t seem important, it\u2019s much easier to forget or disregard.<\/p>\n Lastly, keep in mind that this education and awareness is ongoing. While it might take some time and money to continually and periodically train employees, it\u2019s nothing compared to what a security breach could cost in the future. Training sessions, testing, and reinforcement are some of the best investments a company can make to keep the social aspect of their security as impenetrable as possible.<\/p>\n About Steven Aiello<\/strong><\/p>\n Steven Aiello is a Senior Systems Engineer with Online Tech, the Midwest\u2019s premier managed data center operator. His certifications include CISSP (Certified Information System Security Professional), \u00a0ISACS CISA, VMware VCP ( VMware Certified Professional), \u00a0Cisco CCNA ( Cisco Certified Network Associate), \u00a0Comptia Security+,and Certified Incident Responder (New Mexico Tech).<\/p>\n Related Links: Social engineering is an amorphous subject. In essence, the idea is to coerce someone into giving you information and\/or access that, by all accounts, you shouldn\u2019t have. However, the ways that social engineers can maliciously get anything from credit card information to usernames and passwords is almost infinite. And why not use this method? If I had the choice between breaking a door down, or having someone from inside opening it for me, I can assure you it wouldn\u2019t take me long to decide which one to pick. Social engineering in many cases can be easier than trying to break into a system, and could leave the hacker with less fingerprints on the proverbial door-knob. Likely, most people are at this point familiar with Mat Hunan\u2019s story from Wired Magazine. In just half an hour he had all his passwords changed, his phone, tablet, and macbook wiped, as well as his Google account deleted. Goodbye baby pictures of his daughter, and extensive contact list (among many other things). All this because the hacker liked Hunan\u2019s Twitter handle, and wanted to get into the account. The social engineer was able to do this by calling up the support lines of both…<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[59],"tags":[],"other_category":[],"class_list":["post-2035","post","type-post","status-publish","format-standard","hentry","category-information-technology-tips"],"acf":[],"yoast_head":"\n
\nThe Latest IT Security Stats: Are You At Risk?<\/a>
\nSolutions for the Top 5 Security Vulnerabilities<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"