A Social Engineer's Tools
- using our desire to help against us
- making an employee feel guilty about not doing him a favor - name-dropping
- using bits previously acquired information to earn trust - working knowledge of company lingo (information gained from multiple calls)
- target information that seems innocent, then using that info to gain access to sensitive information
- basic and intricate manipulation
- many attacks are phone based, but impersonating service workers to gain access to the building occurs also
- creating a problem for an employee that the attacker will ‘solve,’ then asking for a small favor which the employee feels obligated to give
In a typical social engineering attack, the con artist will call and pretend to be a fellow employee, utilizing company lingo and name dropping to gain trust. Then, in a series of calls to different honest employees, the attacker will gain a handful of unrelated, innocent bits of information. But when these tidbits are combined, your network, product design, customer information or account numbers are laid bare.
During an interview in 2011, a former Anonymous member, SparkyBlaze, said: “In my mind social engineering is the biggest issue today. We have the software/hardware to defend buffer overflows, malware, DDoS and code execution. But what good is that if you can get someone to give you their password or turn off the firewall because you say you are Greg from computer maintenance just doing testing. It all comes down to lies, everyone does it and some people get good at it.”
So how does one defend against such attacks? Teamwork within a company is absolutely necessary to conduct business.
Information is key. Preventing Social engineering attacks is not about hiring more security guards or purchasing a better firewall. The only defence against such an attack is well trained employees who knows how to recognize the signs of an attack. That employee then follows your company’s specific procedures for identity verification, procedures that cannot be falsified.
If you would like more information on training or Social Engineering, please give us a call.