One of the key emerging threats of the digital age is social engineering, which is tricking someone into parting with personal information or into taking some kind of action through the misuse of technology. As its name suggests, social engineering is playing on psychological and emotional tendencies to take advantage of another person. A typical hacker might try to find some software weak spots; however, a social engineer might pretend to be a technician support worker or bank employee to trick someone into giving detailed information about their account.
Constantly Evolving Technology
As the technology is constantly evolving it is difficult to keep information security policies and technologies up to speed with the developments, and social engineers know all the techniques for manipulating employees and getting them to part with sensitive or confidential information. However, companies and others who need to protect data can alleviate some of the risks by having a pro-active security culture that addresses each new threat as it evolves.
Information Is Power
As in many walks of life, education counts for a lot, and by having organic security procedures that are constantly reviewed and updated, this can ensure that groups, companies and individuals can stay one step ahead of the social engineers. By educating yourself and any employees about the latest hacks they will know not to give out vital information unless they are absolutely sure of the source. Even casually talking about security and passwords in a public setting has sometimes been enough to give social engineers enough information and clues to get into systems and data stores.
Social Engineering Tricks
Following are some common tricks that you and your team should look out for.
Phishing
Most people have heard this word, and a social engineer will use this method to send a text or email to a potential victim to gain access to information that might then be used for a more extensive crime. These attacks are sadly still quite successful, and an example is the type of email that appears to come from a bank or a well-known company and asks recipients to click on a link which goes through to what looks like a trusted site. If the person then logs in the social engineer gains access to information that allows them to infiltrate bank accounts or other data.
Baiting
As with fishing, the social engineer baits his or her victim to try to make them take an action that will be damaging or perhaps reveal information. One trick is to leave a USB stick in a prominent place with a compelling message that looks authentic hoping that the victim will use it and infect their computer with malware.
Pharming
This technique also uses false websites but cleverly adopts a legitimate website to redirect users to a false one that looks almost identical. This trick is also known as domain spoofing and can lie dormant on a computer until such time as it is activated by the user – by accessing a particular URL for example.
Email Hacking
Most people will have had the email that looks enticing or seems to be from a friend – the whole point is to get you to open it and the objective of the social engineer is to acquire information or to spread malware.
Vishing
As with all the other techniques, the social engineer will try to trick the victim into giving personal information – in this case over the phone. How do you know that plausible and professional caller is really from the bank? Don’t give out data unless you know you are talking to a legitimate caller.
Quid Pro Quo
In this scam, the social engineer tries to make a bargain with an employee or another victim, such as promising them a quick IT solution to a problem if they will just give information such as passwords or other data. As with the other scams, the hacker is extremely convincing and persuasive!.
Protection Against Social Engineering
There are a range of measures that can be taken to ensure you don’t become a victim of social engineering whether you are an individual or manage a small or large company or group.
VPN's
For high-risk network services such as those containing very confidential information, or for large companies, a two-factor authentication process through using a VPN is one of the best ways of protecting data.
Password Management
The best method is to have a certain number of symbols/characters as standard and to change them regularly, and more formal companies and groups will want to set guidelines and reminders as part of their security processes.
Anti-malware defenses
Having effective anti-malware and anti-phishing devices and ensuring these are multi-layered and updated regularly can go a long way towards protecting against social engineering tricks.
document handling
There are regular stories in the news about confidential documents found on the streets or in the trash, so ensure you have a stringent policy for disposal of confidential waste.
security for visitors
Social engineers are opportunists and look for any ways to infiltrate an organization and that can also be in person. Therefore, ensure you have a procedure that means all visitors sign in and are monitored effectively while on your premises.
Summary
It’s a scary and dangerous world — and it seems to be growing more so every day. Our data and our privacy is under a constant state of siege and social engineering attacks are becoming more sophisticated and, in some cases, more difficult to thwart. However, by taking the steps outlined above, you can help ensure that you will not become another victim in the social engineering war.
For additional information, check out the following article: What Is A Social Engineering Attack And How To Protect Yourself.
Education Opportunities On Security Available from K2 Enterprises
- K2 Enterprises Technology Conferences
- K2’s Securing Your Data – Practical Tools for Protecting Information
- K2’s Ransomware – Reducing Your Risks
- K2’s Filtering the World – Spam, Virus, and Malware Protection
- K2’s Implementing Password Management and Data Loss Prevention Tools
- K2’s Security – A Practical Guide
