How to protect your business from social engineering
April 20th, 2015
IT security has been at the forefront of business news at the moment, highlighting how vulnerable companies are to targeted attacks by hackers. Symantec reported that five out of six companies suffered an attack of some kind in the previous year whilst the BBC emphasised a report compiled by Verizon which suggested that it takes an average of 82 seconds for cyber-thieves to ensnare the first victim of a phishing campaign.
With this in mind, we decided to examine social engineering, an issue commonly faced by companies which can have far-reaching consequences, and how to protect your business.
What is social engineering?
Social engineering has many definitions but basically, it involves using tricks or tactics to gain information from legitimate users of a system in order to gain unauthorised access, without having to break in. This could involve obtaining users’ passwords and then use them to access company emails or accounts. While these attacks are not new, they have grown more sophisticated over the years.
Originally hackers would send out mass SPAM emails, hoping at least one person would respond with the details they requested. This progressed to creating fake emails that looked like they were from your bank, requesting password or account information. Once you clicked on the link within the email and entered your login details, you would simply get an error message and the hacker would now have access to your details.
When it comes to targeting businesses, hackers will take their time. First investigating both the companies and key people within it, and then using that information to facilitate their plan. They understand that an attack takes time and won’t ask for too much information at once, compared to the first wave of social engineering emails which directly asked for all your bank details and immediately seemed ‘not quite right’. The attack can come in a range of formats from phone calls and online engineering to impersonation and “dumpster diving”, although Verizon’s report states that phishing emails are still the attack vector of choice.
What are the methods of attack?
Hackers may call targeted employees pretending to be from a supplier, IT, or maintenance. They then state there is a problem and request login or financial details. As there is often a subliminal threat (no orders will go through, you will be locked out of the account, e.t.c.) or since this is a common help desk request, employees are often willing to respond with their details, giving the hacker access.
Pop-up windows may appear to be from the network administrator, asking the user to re-enter their login details in order to proceed. This tends to be less successful as people are typically more aware of hackers online.
Hackers may gain access to key people’s emails, or send emails which appear to be from that person’s email address. In this position of power, they can then ask the recipient to carry out certain tasks. For example, they may email the Financial Director, posing as the company owner, and arrange a bank transfer or for confidential documents to be emailed. To the recipient of the email, this may look like a completely normal request from the sender and they comply.
These can carry viruses, worms and Trojan horses. If the email appears to be a person of authenticity, recipients are more likely to open the attachments. This allows viruses to circumnavigate the firewall and other perimeter defences, making this route particularly devastating for unprepared businesses.
Some common roles may include a repair person, IT support, a manager or a trusted third party. This can take place both over the phone and email, as well as in person.
Reverse social engineering
The hacker creates a persona who appears to be in a position of authority so that users come to them for help. Alternatively, the hacker creates the problem on the system themselves and then calls in to save the day. For example, they take down your systems, then call pretending to be from IT and request access to fix the problem. This is a much more advanced type of social engineering. However, with great planning and research, it can give the hacker a good chance of obtaining valuable information.
Once hackers have access to your system they can then have access to your confidential documents. Be it client contact details or product prototypes.
So when hackers are specifically targeting people within an organisation, how can I protect my business?
IT can help to a certain degree. You should begin by testing your current system for vulnerabilities and weak points which could be exploited. Ensure your systems are being monitored 24×7, in particular, make sure your most valuable, sensitive information is protected.
SPAM and Anti-Virus services can help defend your network against phishing, spoofing, viruses, spyware and DoS (Denial of Service) attacks. Audit trails can also help you keep track of user behaviour across the network. For example, when a person attempts to access an unauthorised section, the system will log this in the audit trail.
A key element of protection, however, comes from properly educating your employees. Social engineering is developing rapidly and the human element remains vulnerable because this technique essentially manipulates trust. Protecting the network requires a comprehensive security policy. It should cover things such as password strength, disclosing confidential information and physical security measures, among others. Make sure you give policies to all users and provide training so they understand why compliance is necessary. A security-aware culture means potential threats will flag up with employees. They will be able to make the correct security decision, even when the information request seems very realistic.
It’s also necessary to have business processes in place so when you receive information requests you know which types should raise red flags. After all, not every call from the IT helpdesk requesting your login information is going to be a hack. The correct processes are different for every company but should contain multiple authorisation paths. For example, two staff members need to authorise payments or you could prevent users from making payments via email.
Why successful companies have IT leadership on their board
Businesses whose boards have strong digital skills enjoy benefits including 17% greater profits, 34% higher return on assets and 38% faster revenue growth according to a report by MIT SMR. Any of those advantages would put a company in a powerful place against their competitors, so how does this one difference deliver all three? And […]
What can your business gain from Windows 8?
I’m getting asked for advice on Windows 8 regularly, actually I’m getting asked questions daily about one or more of the new products coming out of the Microsoft stable this year or next. In this blog, I’m going to run through some high-level points on Windows 8, tailored for a general audience. Migrating to Windows […]
QuoStar launches new on-demand CIO Service in shake up of digital transformation consulting
Leading IT consultancy QuoStar has announced the launch of a CIO Service that will deliver on-demand access to top-level IT leadership on a flexible, cost-effective basis. QuoStar’s solution will provide businesses with a dedicated, experienced CIO-level Consultant who will work in partnership with the senior leadership team to ensure IT continually delivers measurable results. Businesses […]