by Scott Lewis
Companies rarely think about Social Engineering when they are talking technology and computer security. They think about the Internet, they think about stolen credit cards or identity theft. However, when you really get down to why many of these security breaches happen it is because of social engineering.
So, what is social engineering? Social engineering is a non-technical kind of intrusion that is based on human behavior that often tricks people unknowingly into breaking security protocols.
I was once doing a technology audit for a company, and the CEO was convinced that his employees would never allow a social engineered type of intrusion. With his permission to try, I arrived one morning unannounced at the clients office. I told the girl at the front desk, who was not the normal front desk person, who I was and that the CEO hired me to work on a problem with one of the servers, but that we had to do it early because he wanted to have a minimum impact on the day’s work load. After we talked for a few minutes, she walked me to the server room, opened the door, pointed it out and left me unattended in the room. A few minutes later she came back with someone else. I went through the same story, but this time I told them that I had found the problem, it was serious and I needed to take the server with me in order to fix it. With some good acting and some additional convincing, she actually got another employee to bring in a two wheeler and help me load it on the two wheeler, roll it to the parking lot and put it in the back of my truck.
This is an example of how with the right information and the right timing people can use social engineering to trick employees into doing things that you would not think they would normally do. This is a true story, but social engineered schemes don’t need to be this elaborate or risky. They can be very simple. For example one easy thing to do is simply ask employees for their username and password. Yes, just ask and you would be surprised how many times employees will provide it. This comes from the fact that it is routine that your IT people will ask users for their username and password, so over a period of time users simply get accustom to providing it when they are asked for it. There is no reason for an IT person to ask a user for their username and password. We can change it any time we want. And even if they do ask, the next thing they say should be that they are going to be required to change it the next time they log into the system.
So how at risk are you? The Ponemon Institute has released a new study that says up to 43% of companies have had a data breach this year. That is up a staggering 10% in one year, and the size and severity of the breaches are increasing.
An example cited in the report was one that most Americans did not hear about pertaining to approximately 40% of the Korean population, an estimated 20 million people, had their personal data and credit card information stolen. According to the Ponemon Institute report the methods used to gather information to access data came from people giving out usernames and passwords, lost USB devices, mishandling files, which could include mistakenly sending files to the wrong person, to leaving the door open to the data room and someone simply walking in.
Other methods people use to gather information in order to use social engineering to gain access to your data are:
• People spotting. This is getting to know the main players in an organization and learning their habits and routines.
• Dumpster diving. It is amazing what companies will simply throw into the trash.
• Physical and virtual impersonation of friends, family, vendors, or even executives within your own organization.
• Direct approach. Then there is simply the direct approach as I outlined earlier. In many cases, you can simply ask for the information and if you are prepared to answer some simple verification questions, employees will simply tell you what you need to know.
How do you protect your company? First is of course training your employees as to what social engineering is and how it is used to gain access to your data. This should be part of your security awareness training and it should be repeated on a regular basis. Second is to evaluate and classify your data. What is confidential? Make sure that data is classified properly then secured properly on your network so that only the people who need access have access to that data. This will limit the breach and provide control over your data. Organize your network in the physical, logical or organizational models. This is simply around putting your data into an organizational structure much like your organizational chart for operations, so people are only given access to data, software and network resources that directly impact their jobs. Lastly, think about the moment of action, which could be software that is internally monitoring your data for file transfers, web filters, email filters, disabling USB drives or DVD drives, and performing Technology Auditing on a regular basis to learn what you don’t know.
Scott Lewis is the President and CEO of Winning Technologies Group of Companies. The Winning Technologies Group of companies is an international technology management company. Scott has more than 30 years of experience in the technology industry, is a nationally recognized speaker on technology subjects such as Collocation, Security, CIO level Management, Data and Voice Communications and Best Practices related to the management of technology resources. Learn more about Winning Technologies at www.winningtech.com or call 877-379-8279.
Submitted 8 years 171 days ago