Blog / What is Social Engineering?
When most people think about hacking they normally picture something out the movies. You know the scene; some hooded hacker at a keyboard performing all sorts of technological wizardry to get around a computer’s defenses. Unfortunately that’s also exactly how most organizations set up their hacking defenses. The problem is there’s a hole in that sort of defense strategy.
Now when I say “a hole”, I’m not talking about the small pits dogs dig in the backyard to stash their bones. Oh no. I’m talking about a colossal hole so huge it could swallow a planet and ask for seconds. Most of the organizations I’ve done security audits on seem to share this same massive oversite in their defensive strategy as well. So, what is it? What monument mistake is being made by so many organizations?
It’s simple really. They totally ignore the human element in the situation.
Organizations take great pains to make sure electronic defenses like antivirus software, firewalls, intrusion protection (etc.) are all in place. Now don’t get me wrong! Electronic defenses are an absolute necessity in this day and age. But none of it matters if an attacker bypasses your expensive firewall, evades your intrusion protection system, and circumvent your antivirus by targeting your employees directly.
That is the essence of social engineering; leveraging normal human behavior to gain access. The idea is that rather then hacking the technology, you hack the people. The basic methods include things like trying to instill a sense of urgency to the situation. That kind of pressure encourages people to act without thinking. Other times the social hack can be an appeal to a target’s humanity and niceness, like using a story about having left keys at home to gain access to a building. Social Engineering is about properly presenting a situation so that it benefits you. It’s Psychology 101.
So how do you address and defend against Social Engineering attacks? Awareness and police procedure are basically your only options; humans typically can’t be patched and updated. However, you can still make refinements to those procedures to help defend against a socially engineered hack. First, identify areas where a successful attack could be the most costly. A couple of easy examples are Unauthorized Physical Access (which leads to theft of equipment) and finances like Payroll and Bill payment (which leads to theft of money). Then create policies and procedures that are appropriate. In a small organization where everyone know everyone you might not have to worry about setting rigid policies about access, but in larger organization or environment where you can’t tell who belongs and who doesn’t at a glance, a strict access policy is a must.
The financial department of any organization is also a target, and the bigger the organization, the more money is involved, and the bigger target it becomes. It’s important to have intelligent procedures in place for things like paying bills, changing payment information, and accessing any financial information. I’ve read too many articles where an organization got scammed out of thousands, even millions, of dollars because someone in finance received an email from someone important (like the CEO) saying some bill needed to be paid immediately or that the account information had changed. The target then followed established procedures that weren’t sufficient, and, well you know the rest.
This is the sort of stuff that bad guys understand. It makes their lives easier because it makes their attacks more successful. It’s important to remember that keeping your organization safe isn’t simply a job for the IT guys. Your organization needs to have well-rounded defense, one that includes social as well as technological aspects. Niceness and honesty are admirable human traits that can become powerful weapons when they’re exploited.
As Shakespeare wrote in Timon of Athens “Every man has his fault, and honesty is his”.
If you have any questions about Monitoring Your Computer Equipment, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyber-Man.