Social engineering takes many forms, including physical access to buildings, email phishing and telephone calls. As Dorothy Denning, author of Information warfare and security said, “Any medium that provides one-to-one communications between people can be exploited, including face-to-face, telephone and electronic mail. All...
it takes is to be a good liar”.
An attacker may call an organisation’s help desk pretending to be an employee who has forgotten their password. Help desk staff will frequently assist this helpless, non-technical caller to log on remotely and reset their password for them, without ever verifying their identity.
Our tests reveal that most organisations are vulnerable to telephone attacks, resulting in remote access to systems which are difficult to detect and may persist for days, weeks or even months.
- Always verify a caller, using information only they should know
- If you are suspicious, call back on a number you know is legitimate
- Report any phone calls that you suspect might be social engineering attacks
Mail attachments and web links remain very popular among social engineers, enticing users to click to gain access to something appealing or illicit while silently installing Trojan software on their computer. Once installed, this software can capture every keystroke and mouse click, and even take screenshots, then quietly mail everything to the attacker.
In a recent test, we crafted an e-mail with a link to a web page purporting to be a survey on information security. We used graphics and links from the genuine corporate website to ensure the pages looked realistic. Using emails linked to simple web forms, we stole usernames and passwords, as well as valuable information about the organisation’s security procedures.
- Never reveal personal or sensitive information in response to an email, no matter who appears to have sent it
- If you receive a suspicious email, call the person or organisation in the "From" field before you respond or open any attached files
- Never click links in an email that requests personal or sensitive information. Enter the web address into your browser instead
- Report any email that you suspect might be an attack
Another technique involves visiting the premises in person. A bogus employee or visitor can look for information lying on desks, overhear conversations, plant a keylogger or even connect a laptop to the corporate network.
Read more about social engineering
In recent tests, we were able to read personnel information and customer contracts in unlocked cabinets, steal the contents of post trays and, most worryingly, connect to the network in a meeting room and steal passwords and data.
- Always confirm an appointment before letting anyone in to the building
- Do not leave any visitor unattended at any time
- If you see someone you do not recognise, ask to see their pass or report them
- Do not leave confidential papers on your desk
- Lock your screen when you leave your desk
Most organisations are surprised by the ease with which social engineering defeats their security. The human factor provides a simple and effective route to bypass even the best hardware and software security controls, yet is commonly overlooked or considered too difficult to solve.
As more and more data breaches are published, perhaps some of the significant investment in security products can be diverted into education and training to strengthen the human firewall.
Peter Wood is CEO of First Base Technologies LLP