Social Engineering: Knowing the Signs to Prevent These Security Attacks
What is Social Engineering?
Many of you have probably heard the term “social engineering” before, but you may not quite know what it means or how to prevent these malicious attacks. There are many forms of social engineering; however, when we talk about phishing, baiting, and tailgating, we’re not talking about a fun weekend at the lake.
Social engineering: using social means to gain entry into a building, computer system, or data storage.
According to Kevin Mitnick, a reformed computer criminal turned security consultant, it is much easier to trick someone into sharing a password for a system than to spend the effort to crack the system.
You might remember the film Hackers, where the hero gains access to a TV station by tricking a security guard into revealing the phone number of an internal modem, which he then uses to take over the station. That’s social engineering.
Tailgating, Phishing, Baiting, and Quid Pro Quo
Social engineering often falls into four basic schemes:
In our daily lives social engineering is a bit more subtle, but far more prevalent, than what we see in the movies. For example, an attacker may wait outside a secured door for an employee to enter or exit, and then either claim a lost or forgotten badge and walk in.
Even though most people might not know what this is called, they’re familiar with the concept of this scheme and how to prevent it. But still, it is human nature to want to help someone in need, which helps make tailgating a successful method of attack.
Almost everybody has heard about someone receiving a legitimate-looking email from a service, such as a bank or utility, asking you to verify your information. This is known as phishing.
Most people are savvy enough to recognize this sort of thing, and either ignore it or report it. However, these types of attacks are still effective as they can be very convincing, and many people are tricked into giving away access to their personal information.
Baiting is very similar to phishing, but it adds the promise of a good, a service or money in exchange for providing information.
Quid Pro Quo
In a quid pro quo attack, a hacker calls random numbers at a company claiming to be from technical support. Once they find a cooperative victim, they instruct them to install malware that gives the attacker access to the internal network.
Preventing Social Engineering Attacks
Preventing social engineering attacks is difficult because it relies on knowledge of what these attacks look like. Companies today have policies in place that require account verification before any information is given out, and many provide training to employees in countermeasures against social engineering. Trained individuals must remain vigilant in following safe practices and procedures regarding release of information. Policies and education are not foolproof methods, but they certainly help stem the flow of unprotected information.
Should at attacker gain access to your systems and data through social engineering, you need additional lines of defense. To protect sensitive data such as credit card information, health information, or other personally identifiable information (PII), you should also make sure you have multiple layers of security in place, and it is essential that you protect sensitive data at the source using strong encryption and encryption key management to render the data useless to the intruder.
Read the white paper, “The Essential Layers of IBM i Security,” to learn about the six layers of IBM i security and how Syncsort can help you build and optimize your own layers with our best-in-class security software solutions.