Social Engineering - What You Need to Know

For those of us in the Information Security world, we hear terms thrown around all the time that are often interchanged, confused, and sometimes misused. One of those terms is Social Engineering. On the surface, this is a confusing term that doesn't appear to have anything to do with Information Security but in fact, it has everything to do with Information Security. In the last blog post that we wrote, we defined Social Engineering. In this post, we are going to talk about some of the different strategies that hackers use to gain access to your company's most sensitive data by exposing your number one asset: Your employees. 

• Phishing - This is the one that gets all the attention as it is probably the most common method that is used by hackers. The reason for this is because it is the cheapest, easiest, and fastest method that hackers can use. In addition, these types of attacks can take on multiple different forms but the goal remains essentially the same, to steal your confidential information. One of the most common forms is using a fake link that installs some form of Malware on your system designed to steal information from your network. This can be a link to your online banking account, utility account, or a fake "invoice" that includes a document with a piece of Malware or virus embedded within. Again the goal remains the same, to gain access to sensitive information and/or credentials to access your company's systems.
• Pretexting - This is usually a fabricated scenario where hackers pose as an organization and ask you to confirm bits of information to ultimately confirm your identity, thus stealing your information. I had this happen to me recently, or at least something that looked like a Pretexting scenario. I received an email from FanDuel, the daily fantasy sports site, asking me to confirm my information/identity due to the recent legal troubles they have been having. While the link appeared to direct me to a legitimate site, I opted to air on the side of caution and not click on the link and provide my information. Legit or not, something seemed a bit off and I went with my gut and passed on the opportunity.
• Piggybacking - Let me set the stage for you on this one. It's Monday morning and you are walking into your office to get your week started. As you approach the door, what appears to be one of your colleagues is rushing up to the door, looking disheveled and rushed, and asks you to let him or her into the building. You're a good person and want to help your fellow employees out so you do what most would do and let them into the building. But.........how do you know they legitimately work there? How do you know that they should be allowed into the building? What are they going to do when they gain access? This typically happens at side doors and not main entrances to avoid drawing attention to what they are doing. 

Those are just a couple of the scenarios that hackers use to trick your employees into giving them some sort of important information and access sensitive materials. What can you do about these scenarios? How do you prevent them from happening? The short answer is that you can't prevent them, you can only mitigate your risk of it happening to you. The human element of Information Security remains a wild card that you can't fully control but you can take some steps to prevent damage for occurring and ultimately mitigate your risks. Think about this for a second. You invest hundreds of thousands of dollars on technology to keep your information safe but what do you invest to train your employees? You can have the greatest technology in the world but if one of your employees gives up their username and password through a Phishing scam how well did that investment pay off? I'm not saying that companies should stop investing in technology at all but you need to invest in your employees as well.