Member Article

Social Engineering: the clever con and you

Picture the scene: you’re at home one evening and Burglar Bill comes knocking on your door. What do you do? We’re guessing the answer isn’t welcome the intruder in, stick the kettle on, and then hand over your sensitive information like bank account numbers and passcodes, giving Burglar Bill free access to your finances and other sensitive information. Of course this is a hypothetical scenario, but when it comes to business, situations like these are commonplace.

It’s a technique used by criminals called Social Engineering; it’s the art of manipulating the potential for human error in order to break security protocols and gain access to a business’ IT systems. In other words, it’s a clever con artist at work with the aim of hacking into sensitive data for some sort of gain, and is one of the greatest threats that businesses encounter today.

A social engineering attack can take many different forms, from baiting to pre-texting and spam to phishing.

Baiting:

This is when a social engineer leaves a malware-infected device – such as USB or CD-ROM – in a visible place so it’s likely to be found. The innocent member of staff then finds the device and loads it onto their computer, therefore unintentionally installing the malware, giving the hackers access to IT systems.

Pretexting:

This is when the social engineer misleads the innocent member of staff in order to gain access to sensitive data. For example, the attacker could pretend to need personal data (such as log-in details) or financial data (such as sort code and account numbers) in order to confirm the identity of the member of staff.

Spam:

We’ve all seen this land in our inbox before – spam. This is when the social engineer sends unsolicited junk mail to spread malware or as a large-scale phishing exercise. Phishing:

This is when the social engineer sends a fraudulent email cleverly disguised as a genuine email pretending to be from a trusted source. The idea behind this con is to trick the member of staff into installing malware onto their computer or device, or alternatively share personal or financial information.

Of the different examples given of social engineering, some attacks can take place remotely like spam and phishing, whereas other techniques require direct access into your place of work in order for the attack to take place, like baiting and pretexting.

Think about it, how many people pass through your office each day who aren’t members of staff? They could be delivering a parcel, checking the phone lines or cleaning the communal areas – or are they? Because the art of social engineering relies on human error, criminals can easily talk their way into your place of work, and once inside the attack can take place.

It sounds like scary stuff and if not managed correctly, the effects of social engineering can massively impact your business in areas including downtime, data breaches and financial loss. The good news is, prevention is better than cure, and there are things you can do to help protect your business from harm.

From a people point of view, security awareness training can help members of staff become more aware of the risks to business – if employees know the different types of social engineering and how human error can play its part, they will be less likely to fall victim to the con. This is all about a common sense approach to using IT; unfortunately, whilst people are becoming more aware when dealing with their personal finance online, this caution often disappears when using IT systems at work.

From an IT point of view, there are also lots of things a business can do to protect systems from social engineering attacks. At Perfect Image, we monitor systems regularly and know what should be part of our client’s infrastructure. In knowing what should be where and when, we’re able to spot any anomalies on the system and raise the alarm before harm can be done. For example, Burglar Bill is posing as a delivery man and gets past the receptionist to gain access to your building. Rather than delivering a parcel, Mr Bill plugs in a malware USB key to a port within your office with the aim of hacking into your IT and accessing data. Our systems can flag this alien device and alert you to the potential attack before it even happens.

Ultimately, social engineering is posing a real threat to businesses today. You wouldn’t invite an intruder into your own home with free reign to access your online banking; make sure you take the necessary precautions to prevent this happening in the workplace too.

For more information about Perfect Image, visit: http://www.perfect-image.co.uk/

This was posted in Bdaily's Members' News section by Perfect Image .