Social Engineering Poses Risks

Over the last decade or so, I have written and spoken quite a bit on the topic of data security and its critical importance in the insurance industry, but for the most part, I have focused on specific technological threats and defenses.

By Ara Trembly

This isn't the whole story, however, because there is a human factor involved in many cyber-break-ins and other crimes.

The human factor involves everyone from the CEO to the mailroom clerk to the pizza delivery guy or gal; in short, anyone who is given online or physical access to your facilities.

Cyber Liability 2.0 (05/07/13)
Adding Depth to Data Systems (06/01/13)
Social Engineering Targets (06/01/13)
SEC Addresses Facebook, Twitter Use (06/01/13)
Technology (06/01/13)

The problem isn't just that these folks could make mistakes -- something we expect -- but that they may be victimized by industrial spies, dilettante hackers or flat-out thieves.And these bad guys don't always use burglary tools or hacking software. Instead, they count on the gullibility of the legitimate user, with an aim to uncover useful information via social engineering.

According to Social-Engineer.org, social engineering is "the act of manipulating a person to accomplish goals that may or may not be in the 'target's best interest. This may include obtaining information, gaining access, or getting the target to take certain action."The same site offers a course on "How to be a Professional Social Engineer," which includes a "practical exam."

So, trained or not, the social engineer is looking to manipulate people for his or her own gain or, perhaps, amusement. If this person also happens to be a crook, however, your organization's secrets and your customers' confidential data could be up for grabs -- and, soon, up for sale.Not a pretty picture.

FIGHTING BACK

There are a number of techniques utilized by social engineers, according to the Data Protection newsletter.

One such tactic is to pose as a company information technology employee and tell the target by phone that they have been infected with a virus or worm, then walk them through some technical screens that are actually harmless, but seem confusing to the non-technophile.

Eventually, the engineer offers to fix the problem, asking for the user's password and promising to call back when the problem is fixed.One password successfully stolen.

The strategy plays on a person's fear and lack of comfort with technology, the article noted."If you can put someone in a position where they think they are in trouble, and then be the one to fix it, you automatically gain their trust," said a social engineering expert.

And there are many more scams that offer unauthorized individuals online or physical access to your enterprise, including one where an engineer gained physical access by wearing a $4 Cisco shirt that he got at a thrift store, said Data Protection.

Criminals may take weeks and months getting to know a place before even coming in the door. Posing as a client or service technician is one of many possibilities. Knowing the right thing to say, who to ask for and having confidence are often all it takes for an unauthorized person to gain access to a facility.

The lesson is clear: Security is more than having the right technology. It requires the proper mindset, attention to detail and raising awareness among employees of such possibilities. These things may not happen frequently, but one big-time hack may be all it takes to bring serious trouble to your enterprise, or your organization.

ARA TREMBLY is founder of The Tech Consultant and The Rogue Guru Blog. He can be reached at riskletters@lrp.com.

October 1, 2012

Newsletter Sign-up