How to protect your business from social engineering
April 20th, 2015
IT security has been at the forefront of business news at the moment, highlighting how vulnerable companies are to targeted attacks by hackers. Symantec reported that five out of six companies suffered an attack of some kind in the previous year whilst the BBC emphasised a report compiled by Verizon which suggested that it takes an average of 82 seconds for cyber-thieves to ensnare the first victim of a phishing campaign.
With this in mind, we decided to examine social engineering, an issue commonly faced by companies which can have far-reaching consequences, and how to protect your business.
What is social engineering?
Social engineering has many definitions but basically, it involves using tricks or tactics to gain information from legitimate users of a system in order to gain unauthorised access, without having to break in. This could involve obtaining users’ passwords and then use them to access company emails or accounts. While these attacks are not new, they have grown more sophisticated over the years.
Originally hackers would send out mass SPAM emails, hoping at least one person would respond with the details they requested. This progressed to creating fake emails that looked like they were from your bank, requesting password or account information. Once you clicked on the link within the email and entered your login details, you would simply get an error message and the hacker would now have access to your details.
When it comes to targeting businesses, hackers will take their time. First investigating both the companies and key people within it, and then using that information to facilitate their plan. They understand that an attack takes time and won’t ask for too much information at once, compared to the first wave of social engineering emails which directly asked for all your bank details and immediately seemed ‘not quite right’. The attack can come in a range of formats from phone calls and online engineering to impersonation and “dumpster diving”, although Verizon’s report states that phishing emails are still the attack vector of choice.
What are the methods of attack?
Hackers may call targeted employees pretending to be from a supplier, IT, or maintenance. They then state there is a problem and request login or financial details. As there is often a subliminal threat (no orders will go through, you will be locked out of the account, e.t.c.) or since this is a common help desk request, employees are often willing to respond with their details, giving the hacker access.
Pop-up windows may appear to be from the network administrator, asking the user to re-enter their login details in order to proceed. This tends to be less successful as people are typically more aware of hackers online.
Hackers may gain access to key people’s emails, or send emails which appear to be from that person’s email address. In this position of power, they can then ask the recipient to carry out certain tasks. For example, they may email the Financial Director, posing as the company owner, and arrange a bank transfer or for confidential documents to be emailed. To the recipient of the email, this may look like a completely normal request from the sender and they comply.
These can carry viruses, worms and Trojan horses. If the email appears to be a person of authenticity, recipients are more likely to open the attachments. This allows viruses to circumnavigate the firewall and other perimeter defences, making this route particularly devastating for unprepared businesses.
Some common roles may include a repair person, IT support, a manager or a trusted third party. This can take place both over the phone and email, as well as in person.
Reverse social engineering
The hacker creates a persona who appears to be in a position of authority so that users come to them for help. Alternatively, the hacker creates the problem on the system themselves and then calls in to save the day. For example, they take down your systems, then call pretending to be from IT and request access to fix the problem. This is a much more advanced type of social engineering. However, with great planning and research, it can give the hacker a good chance of obtaining valuable information.
Once hackers have access to your system they can then have access to your confidential documents. Be it client contact details or product prototypes.
So when hackers are specifically targeting people within an organisation, how can I protect my business?
IT can help to a certain degree. You should begin by testing your current system for vulnerabilities and weak points which could be exploited. Ensure your systems are being monitored 24×7, in particular, make sure your most valuable, sensitive information is protected.
SPAM and Anti-Virus services can help defend your network against phishing, spoofing, viruses, spyware and DoS (Denial of Service) attacks. Audit trails can also help you keep track of user behaviour across the network. For example, when a person attempts to access an unauthorised section, the system will log this in the audit trail.
A key element of protection, however, comes from properly educating your employees. Social engineering is developing rapidly and the human element remains vulnerable because this technique essentially manipulates trust. Protecting the network requires a comprehensive security policy. It should cover things such as password strength, disclosing confidential information and physical security measures, among others. Make sure you give policies to all users and provide training so they understand why compliance is necessary. A security-aware culture means potential threats will flag up with employees. They will be able to make the correct security decision, even when the information request seems very realistic.
It’s also necessary to have business processes in place so when you receive information requests you know which types should raise red flags. After all, not every call from the IT helpdesk requesting your login information is going to be a hack. The correct processes are different for every company but should contain multiple authorisation paths. For example, two staff members need to authorise payments or you could prevent users from making payments via email.
Microsoft Azure guide for IT professionals
Whether you’re considering cloud or are already utilising cloud services it’s likely you have heard of Microsoft Azure. This guide provides you with a high-level overview of the different applications, benefits and the potential drawbacks which you need to be aware of when considering Azure. What is Microsoft Azure? Microsoft Azure is Microsoft’s public cloud […]
How to choose the right document solutions provider
Managed print and document solutions can bring a wealth of benefits, including increased employee productivity and efficiency, the ability to maximise billable hours, and greater document and data security. But in order to truly harness these benefits and enhance your operations, you need to choose the right print and document solutions partner. Many companies will […]
Eight ways to avoid phishing scams
Phishing is a form of online scam in which fraudsters trick Internet users into submitting personal information to what they believe is a legitimate organisation. This can lead to scammers gaining your personal login credentials or the information needed for identity theft. Phishing scams usually arrive as an email pretending to come from a legitimate […]