Blog

How to protect your business from social engineering

/ IT Security Services
April 20th, 2015

IT security - How to protect your business from social engineering

IT security has been at the forefront of business news at the moment, highlighting how vulnerable companies are to targeted attacks by hackers. Symantec reported that five out of six companies suffered an attack of some kind in the previous year whilst the BBC emphasised a report compiled by Verizon which suggested that it takes an average of 82 seconds for cyber-thieves to ensnare the first victim of a phishing campaign.

With this in mind, we decided to examine social engineering, an issue commonly faced by companies which can have far-reaching consequences, and how to protect your business.

What is social engineering?

Social engineering has many definitions but basically, it involves using tricks or tactics to gain information from legitimate users of a system in order to gain unauthorised access, without having to break in. This could involve obtaining users’ passwords and then use them to access company emails or accounts. While these attacks are not new, they have grown more sophisticated over the years.

Originally hackers would send out mass SPAM emails, hoping at least one person would respond with the details they requested. This progressed to creating fake emails that looked like they were from your bank, requesting password or account information. Once you clicked on the link within the email and entered your login details, you would simply get an error message and the hacker would now have access to your details.

When it comes to targeting businesses, hackers will take their time. First investigating both the companies and key people within it, and then using that information to facilitate their plan. They understand that an attack takes time and won’t ask for too much information at once, compared to the first wave of social engineering emails which directly asked for all your bank details and immediately seemed ‘not quite right’. The attack can come in a range of formats from phone calls and online engineering to impersonation and “dumpster diving”, although Verizon’s report states that phishing emails are still the attack vector of choice.

What are the methods of attack?

Phone

Hackers may call targeted employees pretending to be from a supplier, IT, or maintenance. They then state there is a problem and request login or financial details. As there is often a subliminal threat (no orders will go through, you will be locked out of the account, e.t.c.) or since this is a common help desk request, employees are often willing to respond with their details, giving the hacker access.

Online

Pop-up windows may appear to be from the network administrator, asking the user to re-enter their login details in order to proceed. This tends to be less successful as people are typically more aware of hackers online.

Email

Hackers may gain access to key people’s emails, or send emails which appear to be from that person’s email address. In this position of power, they can then ask the recipient to carry out certain tasks. For example, they may email the Financial Director, posing as the company owner, and arrange a bank transfer or for confidential documents to be emailed. To the recipient of the email, this may look like a completely normal request from the sender and they comply.

Email attachments

These can carry viruses, worms and Trojan horses. If the email appears to be a person of authenticity, recipients are more likely to open the attachments. This allows viruses to circumnavigate the firewall and other perimeter defences, making this route particularly devastating for unprepared businesses.

Impersonation

Some common roles may include a repair person, IT support, a manager or a trusted third party. This can take place both over the phone and email, as well as in person.

Reverse social engineering

The hacker creates a persona who appears to be in a position of authority so that users come to them for help. Alternatively, the hacker creates the problem on the system themselves and then calls in to save the day. For example, they take down your systems, then call pretending to be from IT and request access to fix the problem. This is a much more advanced type of social engineering. However, with great planning and research, it can give the hacker a good chance of obtaining valuable information.

Once hackers have access to your system they can then have access to your confidential documents. Be it client contact details or product prototypes.

So when hackers are specifically targeting people within an organisation, how can I protect my business?

IT can help to a certain degree. You should begin by testing your current system for vulnerabilities and weak points which could be exploited. Ensure your systems are being monitored 24×7, in particular, make sure your most valuable, sensitive information is protected.

SPAM and Anti-Virus services can help defend your network against phishing, spoofing, viruses, spyware and DoS (Denial of Service) attacks. Audit trails can also help you keep track of user behaviour across the network. For example, when a person attempts to access an unauthorised section, the system will log this in the audit trail.

A key element of protection, however, comes from properly educating your employees. Social engineering is developing rapidly and the human element remains vulnerable because this technique essentially manipulates trust. Protecting the network requires a comprehensive security policy. It should cover things such as password strength, disclosing confidential information and physical security measures, among others. Make sure you give policies to all users and provide training so they understand why compliance is necessary. A security-aware culture means potential threats will flag up with employees. They will be able to make the correct security decision, even when the information request seems very realistic.

It’s also necessary to have business processes in place so when you receive information requests you know which types should raise red flags. After all, not every call from the IT helpdesk requesting your login information is going to be a hack. The correct processes are different for every company but should contain multiple authorisation paths. For example, two staff members need to authorise payments or you could prevent users from making payments via email.

NEXT>> Five frightening security policies businesses actually rely on