We apologize for the delay on a new post, we had to fire the band of monkeys that write all our posts (something about a labor code violation). But that leaves the question, who am I?
The real reason for us not having new posts available is because we’ve been hard at work preparing for a luncheon on Security for our local Chamber of Commerce. On that note, we chose to write our article this week on an aspect of security that has gone mostly overlooked: Social Engineering.
What is it?
Social Engineering is a form of attack that takes on the human element of security, your employees, or you. The basic premise behind social engineering attacks is rather simple: pretend that you’re someone you aren’t; and lie, lie, lie. For instance, A hacker could call up a pizza place, say he was an unsatisfied customer, and want a replacement pizza. This type of attack hinges on two main points: the person answering the phone is dissatisfied enough with their job that they don’t care to look into the complaint, and it hinges on the ability for the person calling to obtain the trust of the person on the other end of the phone.
In a corporate setting, or even a small-to-medium sized business, the implications for this type of attack are huge. An attacker could easily call up your business, and they would get or try-to-get the lowest person in the company. Then, the attacker would need to establish trust with the person on the other end of the phone. The easiest way to do this, if you’re dealing with someone who knows little to nothing about technology, is to say you’re from the IT department/company or the companies ISP (note that you wouldn’t really need to say “I’m from XYZ company”, as the person on the other end of the phone probably doesn’t know who their ISP is anyway.
Once you’ve established trust with your “victim”, you can get them to do practically anything. The less they understand what they themselves are doing, the less likely they are to question your motives and the more likely they are to hand you the keys to the castle. It often takes less time and effort than people think, and it’s usually more successful than trying to break passwords or break through your firewall.
What can I do about it?
The first step toward protecting yourself against social engineering attacks is rather simple, yet no one seems to get it: don’t give information to someone who doesn’t need it. I’ll say it again: DON’T GIVE INFORMATION TO SOMEONE WHO DOESN’T NEED IT!. This could be your secretary, your children, your spouse, your mailroom guy, etc. None of them need to know your password, so don’t give it to them. None of them need administrative access on their computers, so don’t give it to them. The less information you give them, the less they have to give away. The CIA learned this a long time ago, time for you to learn it too.
Secondly, tell your employees, family members, etc. not to give out any network/computer-related information to anyone. It’s easier to make it that absolute than to try to define what is sensitive and what isn’t sensitive to someone who doesn’t know the difference between a mouse and a modem. Have a meeting and explain to them that social engineering attacks DO happen, and let them know that you can’t have any wiggle-room when it comes to security.
Finally, use common sense. If you get a call from someone claiming to be from your ISP and it’s from an “Unregistered” number, hang up, even if it looks legitimate, make them verify some details, such as their company name, your account number, and PIN, before you talk to them (the company name and account number are both printed on your bill, but the PIN won’t be). Asking a few questions before you trust someone will let you know whether they are for real or not, and if they are really are who they say they are, they will deal with the inconvenience.
That’s the security preach for this week, tune in next week to see if we got our monkeys back!