Today I will explain one of my favorite subjects when it comes to hacking; Social Engineering. Social Engineering or human hacking is the art of manipulating people into giving up sensitive information or gaining their trust to exploit them. It could best be defined as the use of human interaction to obtain or compromise information about an organization, its computer systems or its personnel. It is essentially hacking without using any code. Hackers don’t just have any social skills, they have more intelligence than anyone. Social engineers, or people hackers, specialize in getting you to share information you shouldn’t, like personal details that could lead to a password being stolen. Hacking is a form of power, but we have so much potential to change our organizational culture, values and safety because if not us, then who?
There are several methods of social engineering including fake programs, phishing, vishing, impersonation among others. You need to protect yourself against becoming a victim of social engineering. There is no protection from social engineering other than yourself. No antivirus or antimalware will protect you against becoming a victim of social engineering because it can defeat even the most technologically, advanced security systems in the world.
Social engineering could take different forms. It could be an email, a phone call, or a direct chat. Let’s look at some examples; Assume you receive a phone call; “Hallo, this is Tom from X technologies, we are collecting credentials for our corporate talent database. What is your Username and Password?” or “May I have your number to call you back?” Never provide unsolicited callers with corporate information especially your credentials. Record the details of the call, and check with security to verify.
Cybercriminals use Phishing to harvest information from computer users through bogus emails and websites. You may easily think its an email from your HR representative, company security or even a friend. Check the domain of the email sender, hover your mouse over links, and this will show you what the true destination would be. Forward suspicious emails to your security department, and be very weary of emails containing company sites, intranet sites and portals that are requesting your credentials, especially if the request has never occurred before or looks different than usual. Do not ignore those warning messages like; “Do you want to run this application?” because bad things can happen to you or your organization. You need to be vigilant to stop Social Engineering. Train your employees and test them because, your security matters, and awareness is the number one defensive measure. Nevertheless, here are some tips to help you protect against social engineering.
Tips on how to protect against social engineering attacks on the web
- A website cannot detect if your machine has been compromised. If a site says you have a security issue or infection, and asks you to download software, beware to download the software from a reputable source. When visiting a webpage, pay close attention to the page URL. Attackers will oftenly make this URL look similar to a genuine site.
- Before you enter any personal information on a webpage, check the URL to make sure it starts with https://ExampleURL.com. The ‘s’ indicates that the connection is encrypted and secure.
- Look for browser warnings. Some browsers like google chrome will warn you if the site you are trying to visit is suspected of social engineering or malware. Pay attention to this warning and think twice before entering personal information.
Personal Mitigation techniques
- Don’t plug in USB drives you find lying around
- Beware of what you are saying because you never know who is around you listening
- Shred documents, don’t just bin them (prescriptions, letters, bank statements, anything). Someone might be looking for information so don’t make their life easy.
- Don’t store confidential documents on USB thumb drives because they are easy to lose and someone can easily pocket them. If you have to store documents on thumb drives make sure they are encrypted, or password protected.
- If you are using company laptops, they should have drive encryption on them. Laptops might not be easy to lose but people do lose them. If someone steals your laptop, make sure you got encryption on it. Mac’s for example come with encrypted drives by default.
- Beware of who is looking over your shoulder. You could be sitting in the bus working on some documents that you need to get done by next day but do know who is sitting behind you and looking at your screen, or next to you because anyone can be looking at what you are doing.
- Educate yourself about social engineering.
Corporate Mitigation techniques
- Identify what information or assets are most valuable and mark them accordingly. This means using information coding. For example, documents marked; “OK for release” could be the documents under public domain, while documents marked “Release only with authorization” could be those documents which cannot be released unless they have been approved by someone else and finally documents marked as “Confidential! Do not release” could be very sensitive commercial documents which should never leave the building. This marking could be fostered using different color coding on the documents front page. This becomes very obvious to what you can and can’t do with the documents.
- Big companies usually have a corporate security document and it’s a good idea for small companies to have it too. Staff might not read all this policy documents, so its up to the company to follow up with trainings to make sure they highlight the key issues of the security policies, such that if you have to dismiss someone for breaking a security policy, there is a document in place that you can refer to.
- Keep software updated and patched. This is key because you never know when an exploit might be launched over your network.
- Setup document destroying services and have confidential waste boxes where you put anything you finish up with and they get professionally shredded and disposed. The bins might be information gold mines at times.
- Never assume your company is too small to be a target. Small organizations are just as likely to be attacked and targeted.