Thu, Dec 17, 2015
TraceSecurity Information Security Analyst, Nathan Turner, frequently performs social engineering testing for organizations of all sizes across all industries. In a recent interview, he answered seven questions organizations typically have about social engineering and how they can protect their company from cyber attacks.
1.What is social engineering and why should organizations be concerned about it?
Social engineering is a term used to describe social attack methods used by malicious individuals to gain access to sensitive company or personal information. The attacker may also want to gain access to an organization’s critical systems to cause interruption or destruction.
Often, social engineering involves what appear to be harmless personal interactions between an individual and an attacker. During these interactions, the attacker gains the trust of the victim, who in return provides the attacker (sometimes unknowingly) with access to sensitive information, critical systems, or critical areas. Sensitive information can include personally identifiable information (PII), private organization information, or user credentials. Critical systems can include servers and network infrastructure devices while critical areas include the spaces that house the information, servers, and network infrastructure devices, as well as electronic/mechanical rooms that house critical facility equipment such as electronic control boxes and breaker boxes. Social engineering attacks can be performed in person or remotely.
An example of a remote social engineering attack involves an attacker sending an email to an unsuspecting victim in order to convince the victim to visit a malicious website. By visiting the malicious website, a virus or other form of malware could be downloaded unknowingly to the victim’s system. The malware could then provide the attacker access to sensitive information on the victim’s system or within the organization’s network.
An “in person” or onsite attack can occur when an attacker visits an organization’s facility and impersonates a service vendor such as an IT consultant or network administrator. The attacker may convince the organization’s employee(s) that system or network device updates are required and therefore gain access to personal computers. However, the attacker’s true intent may be to install a backdoor component that will enable them to access the system and/or the organization’s network at a later time. The attacker could also simply be looking for opportunities to gain unmonitored access to sensitive information or critical systems during the visit.
It has been stated that an organization’s greatest resource is its personnel. This would appear to be true since personnel play a key role in keeping sensitive information and critical areas secure. However, studies have shown that personnel can also be an organization’s greatest liability when it comes to data security. This is exactly why organizations should be concerned about social engineering. The human element has to be considered when attempting to keep information or critical areas secure. Social engineering attacks focus on taking advantage of human errors and/or lack of employee awareness. A quick Google search and review of one’s inbox indicates social engineering attacks, especially remote attacks, are happening all the time.