How to protect your business from social engineering
April 20th, 2015
IT security has been at the forefront of business news at the moment, highlighting how vulnerable companies are to targeted attacks by hackers. Symantec reported that five out of six companies suffered an attack of some kind in the previous year whilst the BBC emphasised a report compiled by Verizon which suggested that it takes an average of 82 seconds for cyber-thieves to ensnare the first victim of a phishing campaign.
With this in mind, we decided to examine social engineering, an issue commonly faced by companies which can have far-reaching consequences, and how to protect your business.
What is social engineering?
Social engineering has many definitions but basically, it involves using tricks or tactics to gain information from legitimate users of a system in order to gain unauthorised access, without having to break in. This could involve obtaining users’ passwords and then use them to access company emails or accounts. While these attacks are not new, they have grown more sophisticated over the years.
Originally hackers would send out mass SPAM emails, hoping at least one person would respond with the details they requested. This progressed to creating fake emails that looked like they were from your bank, requesting password or account information. Once you clicked on the link within the email and entered your login details, you would simply get an error message and the hacker would now have access to your details.
When it comes to targeting businesses, hackers will take their time. First investigating both the companies and key people within it, and then using that information to facilitate their plan. They understand that an attack takes time and won’t ask for too much information at once, compared to the first wave of social engineering emails which directly asked for all your bank details and immediately seemed ‘not quite right’. The attack can come in a range of formats from phone calls and online engineering to impersonation and “dumpster diving”, although Verizon’s report states that phishing emails are still the attack vector of choice.
What are the methods of attack?
Hackers may call targeted employees pretending to be from a supplier, IT, or maintenance. They then state there is a problem and request login or financial details. As there is often a subliminal threat (no orders will go through, you will be locked out of the account, e.t.c.) or since this is a common help desk request, employees are often willing to respond with their details, giving the hacker access.
Pop-up windows may appear to be from the network administrator, asking the user to re-enter their login details in order to proceed. This tends to be less successful as people are typically more aware of hackers online.
Hackers may gain access to key people’s emails, or send emails which appear to be from that person’s email address. In this position of power, they can then ask the recipient to carry out certain tasks. For example, they may email the Financial Director, posing as the company owner, and arrange a bank transfer or for confidential documents to be emailed. To the recipient of the email, this may look like a completely normal request from the sender and they comply.
These can carry viruses, worms and Trojan horses. If the email appears to be a person of authenticity, recipients are more likely to open the attachments. This allows viruses to circumnavigate the firewall and other perimeter defences, making this route particularly devastating for unprepared businesses.
Some common roles may include a repair person, IT support, a manager or a trusted third party. This can take place both over the phone and email, as well as in person.
Reverse social engineering
The hacker creates a persona who appears to be in a position of authority so that users come to them for help. Alternatively, the hacker creates the problem on the system themselves and then calls in to save the day. For example, they take down your systems, then call pretending to be from IT and request access to fix the problem. This is a much more advanced type of social engineering. However, with great planning and research, it can give the hacker a good chance of obtaining valuable information.
Once hackers have access to your system they can then have access to your confidential documents. Be it client contact details or product prototypes.
So when hackers are specifically targeting people within an organisation, how can I protect my business?
IT can help to a certain degree. You should begin by testing your current system for vulnerabilities and weak points which could be exploited. Ensure your systems are being monitored 24×7, in particular, make sure your most valuable, sensitive information is protected.
SPAM and Anti-Virus services can help defend your network against phishing, spoofing, viruses, spyware and DoS (Denial of Service) attacks. Audit trails can also help you keep track of user behaviour across the network. For example, when a person attempts to access an unauthorised section, the system will log this in the audit trail.
A key element of protection, however, comes from properly educating your employees. Social engineering is developing rapidly and the human element remains vulnerable because this technique essentially manipulates trust. Protecting the network requires a comprehensive security policy. It should cover things such as password strength, disclosing confidential information and physical security measures, among others. Make sure you give policies to all users and provide training so they understand why compliance is necessary. A security-aware culture means potential threats will flag up with employees. They will be able to make the correct security decision, even when the information request seems very realistic.
It’s also necessary to have business processes in place so when you receive information requests you know which types should raise red flags. After all, not every call from the IT helpdesk requesting your login information is going to be a hack. The correct processes are different for every company but should contain multiple authorisation paths. For example, two staff members need to authorise payments or you could prevent users from making payments via email.
In the press: Brexit and the tech industry
With the “Brexit” and “Bremain” campaigns both in full flow, Tech Radar Pro examines how leaving the European Union (EU) could impact the UK’s technology industry. Migration, the economy, investment and data laws are all considerations, as the vote draws closer. One of the concerns highlighted by QuoStar CEO Robert Rutherford is the skills shortage. […]
Why should you diversify your IT investment
Investing in a company’s IT systems is now a regular part of planning. However, it’s easy to focus on only a few areas of the business instead of taking a holistic approach. In order to avoid this scenario, the company must look at all areas of the business to build a robust IT infrastructure. How […]
FAQ: What is Cyber Essentials?
Cyber Essentials is a government-backed scheme designed to help organisations of all sizes reduce their risk of common cyber-attacks. It allows businesses to obtain one of two Cyber Essentials badges and has the support of industry organisations like the Federation of Small Businesses, the CBI and numerous insurance organisations. What are the certification levels? There […]