By Cory Emmett

Your organization’s proprietary data is your lifeline.  At M&I, we protect your business and your information with an industry-leading Defense-In-Depth strategy.  We can mitigate the majority of external threats to your business continuity by hardening servers and network devices, implementing secure remote access and authentication, performing and testing regular backups, introducing fault-tolerant equipment, and using state-of-the-art scanning tools to identify and eliminate vulnerabilities.  At this point, most IT professionals would call their network ‘secure’; however, we recognize that the largest threat still remains: social engineering attacks.

Social engineering is perhaps the oldest form of attack and is typically the hardest to protect against.  Instead of using purely technical methods, social engineering relies on human nature and uses social approaches to obtain information or execute a data breach. Consider the following examples:

Impersonation: Jane is the purchasing manager for a small organization. She routinely works with the sales representative of a well-known office supply retailer.  As this well-known office supply retailer maintains user profiles of their employees online, hacker Dave is easily able to obtain the name of their sales representative.  Dave makes a call to Jane, stating that he is filling in for their typical sales representative while he is on vacation.  He informs Jane that since their last invoice, their payment information has changed; he’ll need her to route payment to a new account number.  She complies, and the money is long gone.

Authority: While “dumpster-diving” behind a business park, hacker Dave locates a half-shredded document with internal names, emails, and contact phone numbers for employees of a small business.  Using simple Facebook searches, he notes whom he believes to be the C-level employees of this organization.  Spoofing the originating email address, he sends a notice to these employees via email; the notice contains an official-looking subpoena, containing their full name and contact information, with a link that contains more information.  The link downloads a PDF file with information that again appears legitimate, but actually installs a Trojan backdoor and key logging software on the employee’s machine. 

Hoax: Jim is now tasked with updating the social media presence of his organization.  His company’s Facebook page doesn’t look quite right, so he takes to his search engine and looks for ‘Facebook Support phone number’.  The first page of results is illegitimate.  He finds a page that looks official, and contains several phone numbers for support.  Hacker Dave is more than willing to take his call; Dave directs Jim to a page where he installs a remote access agent so that he can assist Jim remotely.  Once inside the computer, Dave has access to steal information, plant backdoors, or wreak other havoc on the system.

Tailgating: Hacker Dave goes to his local thrift store and finds a surplus work suit, complete with a personalized name patch from the previous owner.  He grabs a tool belt, fills it with official-looking equipment, and hops in a stereotypical white panel van. Knowing that server rooms and networking closets are in standard locations, he waits around the corner from a locked, RFID badge-protected door.  As soon as a legitimate employee badges into the door, Dave comes hurrying up with a large box in his hands.  Not wanting to appear impolite, the employee holds the door open for Dave.  After all, he looks like a maintenance worker. While inside, Dave has unquestioned access to plug devices into network jacks and install equipment in plain sight.

Although these may seem like far-fetched scenarios, they occur every day at companies across America, including our own clients.  A study by Verizon Wireless showed that of the 44 million compromised data records (Social Security numbers, financial information, proprietary data, etc.) exposed in 2013, 78 percent of intrusions into these networks used social engineering as the main exploit.  One of these major breaches included an impersonation attack against the finance department, which was used to steal over $39.1 million dollars from Ubiquiti Networks Inc. 

What to Do?

Here's how to protect yourself, your business, and your employees:

  1. Educate your employees: A solid cybersecurity and threat mitigation plan, reinforced with training available online is the first and most important step to arm your employees against social engineering data theft.
  2. Be wary of emails: Criminals are adept at impersonating your friends, family, vendors, or business contacts.  They can accurately copy and spoof an email address; it will appear legitimate in your inbox, but upon closer examination the actual email address may be slightly different.  Be suspicious of any email that you didn’t expect, and all attachments.
  3. Never give out sensitive data: Most websites will never send personal information or request sensitive information in an email.  Many malicious emails will appear to be from a legitimate source such as PayPal, and will ask you to log in to review ‘suspicious activity’.  The login page included in the email is fake, and is designed to steal your credentials.
  4. Be cautious of urgency or authority: Many successful social engineering attempts rely on these two social pretexts.  Make sure the person that you’re talking to deserves the information that they’re asking about; do they really need to know about who handles the trash collection at your company, or what operating system you’re running?  They will often ask questions that don’t fit the pretext, and attempt to intimidate you with authority or make you slip up using a false sense of urgency.
  5. Safeguard sensitive data and locations: Document shredding, RFID-enabled locks and keypads, security gates, and cameras can all help to deter criminals from gathering information to begin an exploit.
  6. Use different, complex passwords: This ensures that if one of your accounts is compromised, the rest will remain secure.

Bottom Line

As with most risks associated with an IT infrastructure, prevention is key.  Educating your employees, proactively managing passwords and security, and being cautious when working with new people are the best ways to protect against the dynamic, persistent, external threats that dominate the social engineering attack landscape.

Recommended for you…