Data Security And Social Engineering
Data security is (and should be) on everyone’s minds these days. End-to-end encryption, secure facilities, passwords that are strong enough to withstand cracking software.
All these techniques are proven to work. That’s why criminals go for the soft underbelly of all security measures — human beings.
The type of ‘hacking’ that occurs when you target employees in order to gain access to data is called ‘social engineering,’ and we want you to know what it looks like. Here are several of the most common social engineering hacks.
Do you use secure keycards to restrict access to your facility? That’s great. But does everyone key in all the time? Tailgating works on basic politeness. A man with his arms full comes up behind a legitimate worker and says, “Hey, can you hold the door for me?” and the worker complies. Even if there is a specific directive against holding the door for just this reason, it’s relatively easy for someone to strike up a conversation in such a way that they seem familiar. Or, they explain their unfamiliarity as being ‘the new guy,’ and beg for help to avoid being ‘late on the first day.’ In short, social engineering tactics play on humanistic impulses; to help, or to be kind.
Curiosity is another human trait. In one ingenious hack, social engineers left USB sticks with Trojan viruses lying around a parking lot. Conscientious employees picked them up, brought them inside, and plugged them into their computers to see if they could identify their owners– unwittingly loading keyloggers onto their hard drive.
Pretexting is a simplistic exercise, where a social engineer asks for a certain piece of information to ‘verify’ certain information.
Unlike ‘phishing’ which uses fear and alarm to overcome caution, pretexting typically has a much tighter backstory — the author is trustworthy and the pretext seems totally legitimate.
What can you do about social engineering?
Almost everyone is convinced that they would never fall for social engineering tactics. That makes this sort of security a great candidate for a ‘scared straight’ exercise. In 2009, to demonstrate the firm’s weakness to social engineering, a security consultant walked into financial services company without being challenged, based himself in a third-floor conference room, where he worked for several days, and proceeded to use the internal telephone system to pretext employees. 17 out of 20 of his victims handed over their login and password information.
Being faced with the reality of how being accommodating and human allows criminals to exploit us is a great first step to being truly security-conscious.