Skilled Social Engineers Threaten Your Proprietary Data
I have used social engineering (SE) to gain physical access to several large facilities and then to get key passwords and login information from people. I have posed as technicians and other officials in order to gain the proprietary information I wanted. Luckily, I’m a good guy who did this at the request of clients to test their own defenses.
Unfortunately, there are a lot of bad guys out there who do this, too.
The bag of tricks that Social Engineers use allows them to lie, cheat and steal their way past your organization’s security controls. The ultimate goal, in most instances, is theft, fraud and/or espionage.
Your best line of defense: Training your people.
Fraud incidents are on the rise and many of these crimes result from social engineers pulling off their costly deceptions in person, via the telephone and through popular social networking sites.
Despite all the media hype about hackers and viruses, the greatest threats to an organization’s information security are actually the employees of the company. They’re the ones who too often, too easily, fall victim to Social Engineering ploys and open the doors wide to anyone who appears to be and act “normal”.
Bank robbers case the joint. So do Social Engineers.
When an intruder targets an organization for attack, be it for theft, fraud, economic espionage, or any other reason, the first step is reconnaissance. They need to know their target. The easiest way to conduct this task is by gaining information from those that know the company best. Their information gathering can range from simple phone calls to dumpster diving.
Being cognizant of these types of attacks, educating your employees about the methodologies of the attacks, and having a plan in place to mitigate them are essential to blocking these manipulations. Regular testing to ensure the effectiveness of your training initiatives is a must. Your training must allow your staff to understand social engineering methodologies, why it is the most effective tool in attacking a company and why so many people fall victim. Your staff needs to also learn how the importance of effective corporate communication and incident response planning can prevent attacks from occurring in the first place.
Once you discover the best ways to test the effectiveness of your awareness efforts, you will then be able to learn what to do after the attack has occurred. Can you put the genie back in the bottle? Yes, if you know where the genie is likely to go next. Remember, everyone is susceptible to this kind of theft. The key is to know how to spot it so you can stop it.
James Holler is founder of Abidance Consulting.